DNS poisoners hijack typo domains

August 22, 2008 – 8:22 AM

Websense, the security services provider, has reported a successful case of cache poisoning on name servers of one of the largest Chinese ISPs. Netcom customers are said to have been steered by criminals to manipulated pages on which exploits for RealPlayer, MS Snapshot Viewer, Adobe Flash Player and Microsoft Data Access Components attempted to inject malicious software into their PCs.

The criminals carried out their attacks somewhat subtly: instead of manipulating the addresses of prominent web sites in the cache, they only changed the address of the ISP’s publicity pages. People arrive at these pages when the domain name they request is unavailable, because, for example, they mistyped the URL. ISPs use this redirection method, known as Typosquatting, to advertise free domains or competing products. In the present case, however, clients don’t arrive on the Typosquatter pages, but on pages with a crafted trojan.

Evidently, the cause of the problem is that the random source port patches for queries, introduced to hamper these known attacks, were not applied to the Netcom name servers. Previously, official reports about successful cache-poisoning attacks only concerned AT&T. Dan Kaminsky last reported on the patch status of the Fortune 500 companies at the Black Hat security conference saying that around 70 per cent of them were patched.


You must be logged in to post a comment.