Websense reports China Netcom DNS cache poisoning

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer.

• When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

Websense provided screenshots of an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server: Unaffected name server:

Poisoned DNS server:

A user querying an unaffected DNS server is taken through to a clean site but if the target queries a poisoned name server, the browser is redirected to the attacker's site with the malicious iFrame code: