RSS Alerts
A massive DNS poisoning attack is under way in Brazil, Kaspersky reports

Share

More services

Related Links

  • Kaspersky Lab
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Kaspersky reports a 20-fold increased in fraudulent spam during 2011 Q3
    Third quarter security research from Kaspersky claims to show there has been a 20-fold increase in the volume of fraudulent spam – from 0.1 to 2.0% - compared to the second quarter of the year.
  • Android app? Would you like a side order of malware with that sir?
    If you thought that the Android smartphone platform was a tad insecure, stand by your beds, as research just published by Kaspersky Lab says that data-stealing apps were up by an amazing 34% during October.
  • JBoss worm exploiting old bug to infect unpatched servers
    Old bugs, it seems, do not die – nor do they fade away – as Dennis Fisher, editor of Kaspersky Lab's ThreatPost newswire says that there is a new worm in the wild that is compromising servers running older versions of the JBoss Application Server and then adding them to a botnet. The worm, he added, also attempts to install a remote access tool in order to give the attacker control over the newly infected server.
  • You Dirty, Shady RAT
    The latest APT to come to light is what McAfee has dubbed ‘Shady RAT’. But the folks at Kaspersky have voiced some objections. Drew Amorosi examines the threat…and the controversy
  • Chinese DDoS bots lack sophistication and stealth, says Kaspersky specialist
    While the arrival of the last distributed-denial-of-service (DDoS) botnet swarms from China is an interesting development in the world of darkware, a Kaspersky security evangelist says that dissecting the botnet code reveals that they lack sophistication and any degree of stealth.

Top 5 Stories

News

Massive DNS poisoning attacks under way in Brazil

09 November 2011

Kaspersky Lab has made the interesting discovery that there is a massive DNS poisoning attack under way in Brazil, with several ISPs in the country falling victim to the attacks.

DNS cache poisoning, to give the attack methodology its correct term, is a security or data integrity compromise in the Domain Name System (DNS) and occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative sources.

Because a domain name server translates a domain name (e.g. www.infosecurity-magazine.com) into an IP address that internet hosts use to contact IP resources, if a DNS server is poisoned, it will return an incorrect IP address, diverting traffic to another computer.

According to Fabio Assolini, a Kaspersky Lab threat expert, these Brazilian attacks have seen users being redirected to install malware before connecting to a number of popular sites. Some incidents, he said, have also featured attacks on network devices, where routers or modems are compromised remotely.

So why Brazil? Assolini said that the country has some major ISPs with around 73 million computers connected to the Internet – and the major ISPs averaging 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge, he noted.

“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo. In all cases, users were asked to run a malicious file as soon as the website opened”, he wrote in his latest security posting.

After monitoring one users' computer, Assolini said that the user was told: 'To access the new Google.com you need to install Google Defence'.

The site asks the customer to download and install the so-called 'Google Defence' software required to use the search engine. As you might expect, Kaspersky's threat researcher says the file is really a trojan banker that exploits CVE-2010-4452 and running arbitrary code in an old installation of JRE.

Assolini noted that last week saw Brazil’s Federal Police arrest a 27-year-old employee of a medium-sized ISP in the south of the country. He was, Assolini noted, accused of participating in this malicious scheme.

“Over a 10-month period he had changed the DNS cache of the ISP, redirecting all users to phishing websites. We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country”, he concluded.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012