Possible Domain Poisoning Under Way - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Possible Domain Poisoning Under Way

Security experts warn that a DNS cache-poisoning attack may be under way, but the scale of the threat was unclear.

Security experts late Friday warned that a DNS cache poisoning attack may be underway and redirecting users from some of the most popular Web sites to a malicious URL where spyware and adware is invisibly installed onto their computers.

According to the Internet Storm Center, which posted an alert on its Web site, it had received reports that the attack was redirecting traffic from popular domains such as google.com, ebay.com, and weather.com.

DNS cache poisoning occurs when an attacker hacks into a domain name server, then "poisons" the cache by planting counterfeit data in the cache of the name server. When a user requests, say, ebay.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser.

Another tactic, dubbed "DNS hijacking," is similar, but simply changes the domain server so that traffic is actually re-routed.

It's unclear which of the two tactics this attack is using.

Even security firms had difficulty confirming the attack, however. Dan Hubbard, the senior director of security at San Diego-based Websense, for instance, said that his team had been investigating the report for several hours but had not yet been able to hit a domain server that had been poisoned.

But Websense's monitoring of its customer's usage patterns did pick up a spike in traffic to the three malicious sites supposedly feeding spyware to redirected users. (In turn, the three feed users to one single site.)

"It's circumstantial evidence," he said, "but it seems something is going on."

Nor was Hubbard able to confirm the targets of the poison and/or hijack. "We haven't been able to trace a redirect from, say, Google," he added.

The hack could be quite localized if, for instance, the affected domain server was one operated by an enterprise or small Internet service provider. "It's certainly not at the root level, or we'd all end up at this malicious site."

Domain cache poisoning and domain hijacking, while rare, are not unheard of. In the late 1990s, a vulnerability in BIND (Berkeley Internet Name Domain), the software used by nearly all of the name servers on the Internet, was disclosed. A few exploits followed. And in 2000, RSA Security was victimized by a Web defacement that really wasn't: instead, domain cache poisoning simply fed bogus pages to users.

"One interesting thing about malicious Web sites is that the hackers have to get people to the site," said Hubbard. "How they get people to their sites is becoming very important. In this case, they're getting more creative than the traditional phishing or instant messaging approach where links are sent to users."

The adware and spyware on the malicious sites is thankfully "not very dangerous," said Hubbard. The sites try to download and install code and an Active X control called "ABC Search Webinstall" that changes the browser's toolbar, its home page, and search preferences, among other things.

For additional details of the attack as they become available, refer to the Internet Storm Center's Diary page, which promises to update as the Center finds out more.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll