[ISN] Hackers poison DNS

InfoSec News isn at c4i.org
Mon Mar 7 06:02:29 EST 2005


http://www.theinquirer.net/?article=21621

By Nick Farrell
07 March 2005

HACKERS HAVE found a way of diverting interweb punters from famous 
websites to dodgy URL's where they plied with spy and adware. 
Security outfit, The Internet Storm Centre, posted a warning about 
"DNS cache poisoning" on its website on Friday.

It said that it had reports that this particular attack was 
redirecting traffic from google.com, ebay.com, and weather.com.

Basically the hackers are attacking a domain name server and poisoning 
the cache by planting counterfeit data in the cache of the name 
server. 

However, all might not be doom and gloom. Other security firms are 
also having a bit of difficulty confirming the attack. They spent all 
Friday hitting Google and ebay and can't find a poisoned DNS anywhere. 

It could be that the sites got better, however it is more likely that 
the hack is localised to an enterprise or small internet service 
provider.

According to the Storm Centre here, the DNS cache poisoning appears to 
be affecting Symantec firewalls with DNS caching. 

Some victims have told the Centre that they applied the patch, but 
were still affected. So this could be a different vulnerability or the 
patch didn't work properly. 

The ABX toolbar spyware that gets loaded onto the machine when 
visiting the target servers. This uses an ActiveX control. Users 
running Windows XP SP2 or a web browser that does not support ActiveX 
will probably not get hit with the spyware if they visit the server. 
ABX is not detected yet by the normal toolset of spyware/antivirus 
tools.





More information about the ISN mailing list