Tuesday, November 8, 2011

Brazilian ISPs Faced DNS Cache Poisoning Attack

Malware makers are using novel and every possible method to trick innocent users in either downloading the same or redirecting them to websites that encourage them to do so. Recently, it was reported that Malware writers used IP cloaking method to circumvent web Malware detection techniques of Google.

Similarly, it was also reported that a number of Google Images are actually infected with Malware that misdirects users to pages that try to sell fake anti-virus scareware and to makes users believe they must download the program to avoid viruses. Of course, Google is doing its level best to minimise the threats of these Malware.

Malware writers have also been targeting the Domain Name System (DNS) to spread Malware through methods like DNS cache poisoning. In this method, malicious code/data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. Sometimes DNS cache poisoning also occurs unintentionally and without malicious intentions due to misconfiguration of a DNS cache or from improper software design of DNS applications.

A similar DNS cache poisoning attacks against several Brazilian ISPs has exposed large numbers of their subscribers to Malware attacks when they attempt to visit Hotmail, Gmail, and other trusted websites. According to the report, the attacks work by poisoning the DNS cache that the service providers use to translate domain names such as google.com into internet protocol numbers such as 74.125.224.144. By replacing legitimate IP addresses with ones leading to servers controlled by attackers, the attack is causing end users to be surreptitiously directed to sites that exploit software vulnerabilities on their computers or trick them into installing Malware.

DNS cache poisoning is frequently carried out by exploiting long-standing security vulnerabilities in the DNS, but at least some of the recent attacks in Brazil appear to be the result of a rogue insider at one of the targeted ISPs. In fact, a 27-year-old employee of a medium-sized provider in the south of the country has been arrested and accused of participating in the malicious scheme. Over a 10-month period the accused employee had changed the DNS cache of the ISP, redirecting all users to phishing websites.

Companies are reporting attacks that are changing the DNS configurations of their routers and modems. As a result, when employees try to visit websites, they encounter displays that instruct them to install a malicious Java applet.

It is not the case that ICANN is not aware of these threats and concerns. In fact, ICANN has been considering use of Domain Name System Security Extensions (DNSSEC) for securing domain name system (DNS). DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Although people browsing the Internet often take it for granted that the sites they visit are created and operated by their purported owners, it is possible for criminals with knowledge of the Internet’s addressing system to create counterfeit websites that look like the real thing but capture users’ private information. DNSSEC guards against this cyber threat.

No comments:

Post a Comment