Global DNS cache poisoning attack?

Discussion in 'other security issues & news' started by dvk01, Mar 4, 2005.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    http://isc.sans.org/diary.php?date=2005-03-04

    Global DNS cache poisoning attack?

    We are currently investigating a report from several sites that indicate users being re-directed to malware sites. At this time it appears to be a DNS cache poisoning attack (not a spyware, adware, or browser hijack) and we are seeking more information.

    Popular domain names such as google.com, ebay.com, and weather.com are being directed to the following servers. Of course when connecting to these servers, "bad things" (tm) will happen, so don't go to them.
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    so disabling dns service could benefit in this matter Derek?
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Not in the slightest

    they are talking aboutb the dns servers weither at your ISP or one or more of the 13 major dns servers that control the entire internet

    The dns service on your computer has nothing to do with it

    this explains it more
    http://www.nextsite.biz/faq_dns.html
     
  4. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Derek, appreciated.
     
  5. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Thanks Derek, much appreciated! :)


    Pet a hedgehog for me!! :D I check your site often!

    Marja:cool:
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    There's an update:
    So the first problem can be accounted for, the second one (following the rerouting) is client based.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It's not client based as on your computer but it's possibly the Norton corporate firewall on the affected webserver

    and we are working on the ABX toolbar and other spyware that gets downloaded and should be able to post more info later today about that
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Cute little tool bar....NOT :mad:

    <object classid="clsid:6E6AA6C7-DD03-43BF-B63E-DC7ABC6F713D" codebase="abx_search.cab" name="tb_object" height=0 width=0></object>

    [abx_search.dll]
    clsid={92F02779-6D88-4958-8AD3-83C12D86ADC7}
     
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Bubba for this clsid...users should definately put this into a blockmode

    Thanx!!
     
  10. Lurkerella

    Lurkerella Guest

    Asking? Where do we put it, to block it? Like with Firefox or IE? I have programs that block things but there is no place to add my own. o_O
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Placing the 3 domains mentioned in the Sans article into IE's Restricted Zone will go a long ways in protecting you....especially if you have IE's Internet Zone at default.

    7sir7.com
    123xxl.com
    abx4.com
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I would be more inclined to add the IP numbers to the firewall block list if you have a firewall capable of doing that. Thatway no other programs are capable of connecting to those sites
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The trouble with just adding domains is that other domains that are also dodgy use the same IP address

    I have found another domain also at the same address 3sistersmassage.com so if you do what bubba says add that as well

    and they seem to using it as a reseller or as a domain for lots of other users to have web sites on and I think that is why it's preferable to block IP number rather than domain name wherever possible
     
  14. Lurkerella

    Lurkerella Guest

    Thank you Derek and Bubba!

    Yes, I feel more secure with the address than just the name, names change so fast.

    Well, here is another vulnerabilty for someone with patience, smarts, chutzpah and helpful friends to work on!

    I just know you are out there! :)
     
  15. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Very good point Derek....and for those that wish to continue using IE it's just one more reason to NOT allow script to run freely in the Internet Zone unless you are prepared for the consequences.
     
  16. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Wouldn't keeping all of one's important financial sites in the Hosts file help to prevent this?

    Acadia
     
  18. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    Last edited: Mar 10, 2005
Loading...
Thread Status:
Not open for further replies.