Massive DNS poisoning attack in Brazil serving exploits and malware

Massive DNS poisoning attack in Brazil serving exploits and malware

Summary: Security researchers from Kaspersky Lab have detected a massive DNS poisoning attack, affecting Brazilian ISPs.

SHARE:

Security researchers from Kaspersky Lab have detected a massive DNS poisoning attack, affecting Brazilian ISPs.

Upon attempting to visit a legitimate web site such as www.google.com.br for instance, users are exposed to malicious file downloads, next to client-side exploits, CVE-2010-4452 in particular.

Kaspersky's Fabio Assolini comments:

Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge.

Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo. In all cases, users were asked to run a malicious file as soon as the website opened.

Malicious attackers often turn to alternative methods for abusing the infrastructure of a trusted web site, such as Google in this case, in cases where they cannot directly compromise this infrastructure. Whether it's the modification of a particular site's DNS records by social engineering their way in, to to direct DNS cache poisoning, their main objective remains the abuse of a high-trafficked web sites.

Affected users are advised to "update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers".

Related posts:

Topics: Malware, Browser, Networking, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

    Going by the screenshot, it's a good time to switch OS.
    Return_of_the_jedi
    • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

      @Return_of_the_jedi

      + 1
      ScorpioBlue
  • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4452
    hubivedder
  • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

    It is good that these cyber security scams are caught and highlighted
    The bad thing is people need to be more aware and use modern browsers like Chrome which at least indicate that something is fishy around this website.

    http://thetechnologycafe.com/us-fbi-busts-computer-botnet-hijackerscheck-if-you-are-effected-now/
    samzbest@...
    • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

      @samzbest@... Not Chrome, but there are some other good browsers out there. Actually I'm finding IE catching almost 2x more of those crackpots than the parallel run of Chrome on another set of hardware. Then I hav the hassle of coming back with IE and kiilling the sh_t of course; occasionally unpleasant so use a sandbox for this kind of work, not your production machine/s.
      It works in the opposite direction too, but not as well; Chrome misses too many and has too many false positives for my liking.
      tom@...
  • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

    http://go.uc7758.com/gT
    http://go.uc7758.com/gT
    tyuthfd
  • Unaffected Brazilian user here, but...

    ...that could be because my Internet connection is configured to use OpenDNS for address resolution. Still, I didn't hear of any affected users among my friends and correspondents.<br><br>However, I encountered frequent OpenDNS service disruptions during the last week. They were short (usually a few minutes, at most half an hour) and the service was soon back to normal, but they happened. My PC couldn't even ping their servers. Since OpenDNS is very reliable and has many fail-safe redundant mechanisms, but my connection to them obviously has to happen through my ISP (which is one of the largest ones), I wonder if my ISP's servers weren't compromised in such a way that connection to alternative DNS servers was blocked. Also obviously, OpenDNS doesn't depend on DNS resolution itself and their servers are accessed by plain IP addresses, so a simple DNS cache poisoning at my ISP wouldn't explain that.<br><br>In case you would like a translation, the message box is a standard IE one, but the caption in Portuguese reads: "It was not possible to verify the application's digital signature. Do you wish to run the application?" The "editor" field shows "desconhecido," which means "unknown."<br><br>I found it strange, though, that the IE window shown is from the English version, but the warning message is in Portuguese. This shouldn't happen - IE's versions in each language have a consistent UI throughout. I suppose this is an image montage of an English IE window accessing Google's Brazilian site with an error message captured from an access using Brazilian Portuguese IE.
    goyta
    • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

      @goyta
      Well since zdnet didn't want to fly down to Brazil and get an actual screenshot, they did a cut-and-paste job here instead.

      Who says they aren't sloppy? :p
      ScorpioBlue
    • RE: Massive DNS poisoning attack in Brazil serving exploits and malware

      The OS is pt-br, but browser is en-(us?).
      asterus@...