DNS Diversion Attack Underdway On Google, eBay, and other tops sites. - GoFuckYourself.com

KRL · 05-14-2005, 02:26 PM

Security experts late Friday warned that a DNS cache poisoning attack may be underway and redirecting users from some of the most popular Web sites to a malicious URL where spyware and adware is invisibly installed onto their computers.

According to the Internet Storm Center, which posted an alert on its Web site, it had received reports that the attack was redirecting traffic from popular domains such as google.com, ebay.com, and weather.com.

DNS cache poisoning occurs when an attacker hacks into a domain name server, then "poisons" the cache by planting counterfeit data in the cache of the name server. When a user requests, say, ebay.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser.

Another tactic, dubbed "DNS hijacking," is similar, but simply changes the domain server so that traffic is actually re-routed.

It's unclear which of the two tactics this attack is using.

Even security firms had difficulty confirming the attack, however. Dan Hubbard, the senior director of security at San Diego-based Websense, for instance, said that his team had been investigating the report for several hours but had not yet been able to hit a domain server that had been poisoned.

But Websense's monitoring of its customer's usage patterns did pick up a spike in traffic to the three malicious sites supposedly feeding spyware to redirected users. (In turn, the three feed users to one single site.)

"It's circumstantial evidence," he said, "but it seems something is going on."

Nor was Hubbard able to confirm the targets of the poison and/or hijack. "We haven't been able to trace a redirect from, say, Google," he added.

The hack could be quite localized if, for instance, the affected domain server was one operated by an enterprise or small Internet service provider. "It's certainly not at the root level, or we'd all end up at this malicious site."

Domain cache poisoning and domain hijacking, while rare, are not unheard of. In the late 1990s, a vulnerability in BIND (Berkeley Internet Name Domain), the software used by nearly all of the name servers on the Internet, was disclosed. A few exploits followed. And in 2000, RSA Security was victimized by a Web defacement that really wasn't: instead, domain cache poisoning simply fed bogus pages to users.

"One interesting thing about malicious Web sites is that the hackers have to get people to the site," said Hubbard. "How they get people to their sites is becoming very important. In this case, they're getting more creative than the traditional phishing or instant messaging approach where links are sent to users."

The adware and spyware on the malicious sites is thankfully "not very dangerous," said Hubbard. The sites try to download and install code and an Active X control called "ABC Search Webinstall" that changes the browser's toolbar, its home page, and search preferences, among other things.

Shoehorn! · 05-14-2005, 03:02 PM

Damn, thats crazy.

SGS · 05-14-2005, 03:06 PM

The world is full of bad people.

SGS · 05-14-2005, 03:07 PM

Sorry wrong thread

Tony Montana · 05-14-2005, 03:09 PM

Those guys who run that abc search are gonna get ass fucked

Rich · 05-14-2005, 04:24 PM

Quote:

Originally Posted by Tony Montana

Those guys who run that abc search are gonna get ass fucked

I wonder if that's actually abcsearch.com or just someone using their name. I've bought traffic from abcsearch, it sucked more than any other SE I've ever tried. Maybe this explains why.

05-14-2005, 02:26 PM	#1
KRL Entrepreneur Join Date: Oct 2002 Location: USA Posts: 31,429	DNS Diversion Attack Underdway On Google, eBay, and other tops sites. Security experts late Friday warned that a DNS cache poisoning attack may be underway and redirecting users from some of the most popular Web sites to a malicious URL where spyware and adware is invisibly installed onto their computers. According to the Internet Storm Center, which posted an alert on its Web site, it had received reports that the attack was redirecting traffic from popular domains such as google.com, ebay.com, and weather.com. DNS cache poisoning occurs when an attacker hacks into a domain name server, then "poisons" the cache by planting counterfeit data in the cache of the name server. When a user requests, say, ebay.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser. Another tactic, dubbed "DNS hijacking," is similar, but simply changes the domain server so that traffic is actually re-routed. It's unclear which of the two tactics this attack is using. Even security firms had difficulty confirming the attack, however. Dan Hubbard, the senior director of security at San Diego-based Websense, for instance, said that his team had been investigating the report for several hours but had not yet been able to hit a domain server that had been poisoned. But Websense's monitoring of its customer's usage patterns did pick up a spike in traffic to the three malicious sites supposedly feeding spyware to redirected users. (In turn, the three feed users to one single site.) "It's circumstantial evidence," he said, "but it seems something is going on." Nor was Hubbard able to confirm the targets of the poison and/or hijack. "We haven't been able to trace a redirect from, say, Google," he added. The hack could be quite localized if, for instance, the affected domain server was one operated by an enterprise or small Internet service provider. "It's certainly not at the root level, or we'd all end up at this malicious site." Domain cache poisoning and domain hijacking, while rare, are not unheard of. In the late 1990s, a vulnerability in BIND (Berkeley Internet Name Domain), the software used by nearly all of the name servers on the Internet, was disclosed. A few exploits followed. And in 2000, RSA Security was victimized by a Web defacement that really wasn't: instead, domain cache poisoning simply fed bogus pages to users. "One interesting thing about malicious Web sites is that the hackers have to get people to the site," said Hubbard. "How they get people to their sites is becoming very important. In this case, they're getting more creative than the traditional phishing or instant messaging approach where links are sent to users." The adware and spyware on the malicious sites is thankfully "not very dangerous," said Hubbard. The sites try to download and install code and an Active X control called "ABC Search Webinstall" that changes the browser's toolbar, its home page, and search preferences, among other things. __________________ If you would like to develop your domains, you can lease inexpensive foreign labor from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION! * * * * * * * * * * * * Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

05-14-2005, 03:02 PM	#2
Shoehorn! Die With Your Boots On Join Date: Oct 2003 Location: Hawaii Posts: 22,872	Damn, thats crazy. __________________

05-14-2005, 03:06 PM	#3
SGS Confirmed User Industry Role: Join Date: Dec 2002 Location: Mallorca - Nottingham Posts: 5,176	The world is full of bad people. __________________ See sig...

05-14-2005, 03:07 PM	#4
SGS Confirmed User Industry Role: Join Date: Dec 2002 Location: Mallorca - Nottingham Posts: 5,176	Sorry wrong thread __________________ See sig... Last edited by SGS; 05-14-2005 at 03:08 PM..

05-14-2005, 03:09 PM	#5
Tony Montana Confirmed User Join Date: Jan 2005 Posts: 794	Those guys who run that abc search are gonna get ass fucked __________________ I am a marketing Genius.