DNS poisoners hijack typo domains
Websense, the security services provider, has reported a successful case of cache poisoning on name servers of one of the largest Chinese ISPs. Netcom customers are said to have been steered by criminals to manipulated pages on which exploits for RealPlayer, MS Snapshot Viewer, Adobe Flash Player and Microsoft Data Access Components attempted to inject malicious software into their PCs.
The criminals carried out their attacks somewhat subtly: instead of manipulating the addresses of prominent web sites in the cache, they only changed the address of the ISP's publicity pages. People arrive at these pages when the domain name they request is unavailable, because, for example, they mistyped the URL. ISPs use this redirection method, known as Typosquatting, to advertise free domains or competing products. In the present case, however, clients don't arrive on the Typosquatter pages, but on pages with a crafted trojan.
Evidently, the cause of the problem is that the random source port patches for queries, introduced to hamper these known attacks, were not applied to the Netcom name servers. Previously, official reports about successful cache-poisoning attacks only concerned AT&T. Dan Kaminsky last reported on the patch status of the Fortune 500 companies at the Black Hat security conference saying that around 70 per cent of them were patched.
- China Netcom DNS cache poisoning, warning from Websense
For background to the Domain Name System security problem and current developments, see:
- Kaminsky reveals final details of DNS vulnerability
- DNS security problem: new patches and omissions
- Apple eliminates DNS server vulnerability under Mac OS X
- Patches for DNS vulnerability put the brakes on servers
- DNS hole - no patch yet from Apple
- DNS vulnerability exploits released
- DNS security problem details released
- Massive DNS security problem endangers the internet