Websense reports China Netcom DNS cache poisoning

Websense reports China Netcom DNS cache poisoning

Summary: The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer.

SHARE:
Websense reports China Netcom DNS cache poisoningThe DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer.
  • When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

Websense provided screenshots of an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server: Unaffected name server: Poisoned DNS server: A user querying an unaffected DNS server is taken through to a clean site but if the target queries a poisoned name server, the browser is redirected to the attacker's site with the malicious iFrame code:

Topics: Networking, Browser, Hardware, Servers, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • interesting!

    Can I translate this article to korean in my blog?
    (http://carly1000.blogspot.com/2008/08/websense-reports-china-netcom-dns-cache.html)

    If you don't want to this, please add a comment on my blog.
    Carly1000
  • RE: Websense reports China Netcom DNS cache poisoning

    i think your fuzzing of the fqdn of this server: Name: linedns.bta.net.cn
    Address: 202.106.196.115

    and not the ip address shows your complete lack of understanding of DNS, and problably the entire Internet.

    but that's just my 2 cents.

    stine
    stine2469
  • RE: Websense reports China Netcom DNS cache poisoning

    Oh, I??m glad that China Netcom, the cheaper provider in China, isn??t available in our appartement building ;-)

    Sometimes it is better to pay a more!
    Cheers,
    Sven - <a href="http://www.korn.cn/" title="internships in China">Chongqing China</a>
    Internship in China