The SANS Internet Storm Center is warning of DNS attacks against potentially millions of Internet users. Incident responders on Wednesday elevated the threat of DNS cache poisonings from green to yellow on Infocon after receiving multiple reports of users whose compromised computers were redirecting browsers to malicious Web sites.
"The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work," Marcus Sachs, ISC director, reported in the Handler's Diary. "After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least five Unix Web servers."
In a DNS poisoning attack, an attacker changes the IP address that a hostname resolves to and points it to a different IP address of his choosing.
Users of Windows NT 4.0 and 2000 DNS servers are encouraged to follow the instructions on the Microsoft site to prevent cache poisoning attacks. A patch has been available for Symantec Gateway Security 5300 Series version 1.0 and 5400 Series version 2.x, Enterprise Firewall versions 7.0.x and 8.0 for Windows and
"We have received reports that Windows 2003 and NT4/2000 with the proper registry key settings are still vulnerable," Sachs said. "We are currently working with Microsoft to determine whether there is a bug or architectural problem in its DNS software."
Johannes Ullrich, ISC's CTO, said a group compromised a machine in Korea and set it up as a fake DNS server to spread adware. "The main threat, however, is that a user will type in a URL and get redirected to a malicious site. Right now the site is obviously fake, but it could be changed to look like a bank or other trusted site and steal confidential information."
The ISC site indicates that there were three separate DNS attacks in recent weeks, and reports indicate malware writers are refining their methods and tools to perpetuate the attacks. For instance, an attack that began April 1 remains ongoing, according to the handlers.
During the first attack [around Feb 22 to March 12], victims were being redirected to one of three servers at colocation/Web hosting companies that were compromised. Victims noticed the redirection because their Web surfing was affected. ISC said it also received reports of e-mails getting bounced, and a subsequent investigation of log files from those machines indicated that FTP logins, IMAP/POP logins,and SSH traffic was being redirected also. The attacker had uploaded two client-side exploits for Internet Explorer to the compromised Unix machines to infect users redirected to those servers with a spyware program.
During the second attack [March 25], two malicious DNS servers redirected victims to a Web site selling popular prescription medication, but didn't host any malicious content, ISC said. The third attack is a continuation of the first attack with the same goal of installing a spyware program.
ISC believes the motivation for the attacks is simply money. "The end goal of the first attack was to install spyware/adware on as many Windows machines as possible. A good spyware/adware program can generate significant revenue for the attacker," according to the ISC site. The handlers believe that a pay-per-click (PPC) advertising scheme is likely behind the first and third attacks while the second attack was likely launched by a spammer contracting with an attacker.