DNS poisoning hits Brazilian ISPs
Brazilian ISPs are becoming victims of a series of DNS cache poisoning attacks which are directing the ISPs' users to install malware. The attacks, documented in a blog posting, mean that infected users who wanted to go to www.google.com.br were being told that they had to download and install "Google Defence" software in order to use the search engine. The software itself was a banking trojan and the site where the file was hosted also included .exe files which pretended to be setup programs for FaceBook, YouTube and other sites.
Kaspersky noted that Brazil's Federal Police had arrested a 27-year-old employee of a "medium-sized ISP in the south of the country" who was accused of taking part in the cache poisoning scheme. He is said to have been modifying the DNS cache of the ISP and redirecting users over a ten month period.
A typical major ISP in Brazil has around three to four million customers making their DNS caches a valuable target; changing the cache on just one server could send tens of thousands of users to the criminal's web sites where they could be tricked into installing malware. The DNS system allows domain names to be translated into IP addresses; system can lookup domains by querying DNS servers and get the current translation. Because the query could take some time, DNS servers cache the results of queries for a period of time. DNS cache poisoning works by corrupting that cache and putting different IP addresses, usually for sites hosting malware, into it.