HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Summary: A week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore's company BreakingPoint has suffered a traffic redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :"It happened on Tuesday morning, when Moore's company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer.

SHARE:

A week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore's company BreakingPoint has suffered a trafficMetasploit Logo redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :

"It happened on Tuesday morning, when Moore's company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas area. One of BreakingPoint's servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore's company. When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements."

Moreover, last month, before the latest DNS cache poisoning vulnerability and exploits started taking place,  Metasploit Project’s site was temporarily hijacked through ARP poisoning, perfectly demonstrating that old-fashioned DNS attacks remain intact.

UPDATE: HD Moore's explanation of the situation, and the impact of the attack that took place :

"Most of the facts of the article are correct. I have no problem detailing the attack, how it worked, and how we detected and resolved it. I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for. Stating that my company was "compromised" leads the reader to believe that there was some sort of security breach, which is reinforced by the fabricated quote."

Topics: Browser, Google, Networking, Servers, AT&T

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • On top of this

    It wasn't HD who was hacked, as Dancho points out. I just want to reiterate that point, as Austin TX was what was hacked. The AT&T DNS servers there were what was hijacked, and unfortunately, HD can no more control what AT&T does than I can control what my ISP does in Chicago.

    -Nate
    nmcfeters
  • So HD wasn't pwnd...

    ... should that maybe be updated, too?
    Jennifer Leggio
    • Yes it should.... maybe HD's ISP was pwned.

      DOAS PWN3D RILLY HAEV A PLAEC ON ZDNAT?!??!??! WTF LOL JUST ASKNG.!1111!11111!!!!!!!1 OMG WTF NOT T3LNG!111!!111 WTF
      Been_Done_Before
      • Take 2 xanax and call me in the morning!

        Geez,chill dude. Is this hereditery or did you just fall on your head as a child?
        dunn2
        • It was a joke. I used the AOL translator to generate that.

          If you read it without your eyes bleeding, it says:

          "Does pwned really have a place on ZDNet? Just asking... not telling."

          I asked in that way to make fun of the word pwned and its culture. I use it all the time playing games, so i am not trying to seem stuffy.
          Been_Done_Before
          • I Apologize For Seeming Stuffy Myself...

            I knew what you were saying but in all upper case I thought you were not happy with the article or the posting.

            My Bad.
            dunn2
      • Why not?

        It's the vernacular of the culture the article is commenting on. Would you prefer we put on our best Oxford English professor voice?

        I don't see a problem with it as long as it's not over done.

        -Nate
        nmcfeters
        • "Why Not?" What?

          NT
          dunn2
        • Pwned is a gaming term, Owned is a hacker term.

          Course more recently alot of the terms have become interchangable. Pwned came about when someone quickly typed Owned and used a P instead of an O, thus unknowly leaving us with a term everyone uses.

          Its sort of like the "all your base belong to us" statement posted by a forgein gamer during a match. It highlights the poor grammer used in games. Again, not that its a bad thing, my grammer is not perfect, nor do i claim it to be.

          Thus my question: "Does pwned really have a place on ZDNet... just asking.. not telling?"

          BTW: I love the aol translator, it brings me back to my aim days... ahh soo nostalgic!
          Been_Done_Before
          • All your base belong to us...

            That did not come from some "foreign" gamer, obviously you made that up.. and you know the origin of pwned??? I highly doubt that! Good GUESS, but as with All your base, I doubt you're correct.

            From Wikipedia (although you are more than welcome to google it)..

            "All your base are belong to us" (often shortened to "All Your Base", "AYBABTU", or simply "AYB") is a broken English phrase that sparked an internet phenomenon in 2001 and 2002, with the spread of a Flash animation that depicted the slogan. The text is taken from the opening cutscene of the European Sega Mega Drive version of Zero Wing,[1] a Japanese video game by Toaplan. It was popularized by the Something Awful message forums.[2]
            duhrain
          • it was foreign gamer, in a way

            it was a foreign game company (Japanese) that couldn't translate English very well.
            ChazzMatt
          • LOL, its been years since i heard the orgins of it.

            I remembered it being from a game and a foreigner having something to do with it... good call.

            BTW: Someone tell him Wiki is not the end all answer to everything, its essentially history by agreement.
            Been_Done_Before
  • RE: HD Moore pwned with his own DNS exploit, vulnerable AT

    ATT tech support is a joke

    I contacted tech support yesterday and teir 1 support had no idea of what I was talking about ( DNS cache poisoning ), so I requested to talk to tier 2 support, and they demonstrated little to no awareness of the currnt situation. ATT needs to get on the ball and get their servers patched!! WHAT'S THEIR HOLDUP????

    pmadamstx@hotmail.com
    pmadamstx
    • Switch to OpenDNS

      At least until AT&T gets itself sorted.
      seanferd