DNS Cache Poisoning Attack

Websense Inc., a large company that offers Web Security filtering and solutions, have discovered that the DNS servers in China Netcom (CNC), one of the leading providers of Internet services, is compromised. The servers that are suffering from poisoned DNS records injection, as a result of the exploitation of errors in the DNS system kernel, revealed earlier this year by Dan KAMINSKY.

The error in the DNS system is considered to be one of the biggest security problems ever discovered, and has been surrounded in secrecy in an attempt to quickly find a solution. The vulnerability, if exploited successfully, it is possible for an attacker to inject false DNS records in a DNS server. This makes it possible for users to be redirected to a malicious Web site even if they try to access an otherwise genuine URL.

The security researchers and companies working on that developed a patch that has been deployed to an impressive number of DNS servers around the world. But, as we previously reported, the patch proved to be ineffective by only lowering the success rate of an attack and increase the time needed to take advantage of it, instead of completely block any such attempts.

The security researchers who work for Websense lab in Beijing discovered the attack by mistyping a URL. Some of the scientists who work for the lab have Netcom as their Internet service provider. When a user enters an address that does not exist in the browser address bar, Netcom DNS servers are supposed to redirect him to a local ad service instead of an error page. ISPs use this type of methods to attract additional revenue.

The successful exploitation of the vulnerability of CNC's DNS servers made it possible for attackers to redirect users to rogue Web sites instead of the ads. These include an iframe that serve malicious code in an attempt to exploit vulnerabilities in browser plug-ins, such as Real Player and Flash Player, or computer applications such as Microsoft Snapshot Viewer.

Security Research Manager for Websense European lab, Carl Leonard, noted that other DNS poisoning attacks have also noticed what makes this attack so interesting is the method used, which means "the malcode authors are trying to keep under the radar." If successful exploitation of vulnerabilities in the above-mentioned applications occurs, a Trojan is downloaded into the victim's computer. Although these applications have been patched to their developers, the fact that the aggressors still chose this approach makes Mr. Leonard think that "people have not applied these spots."

There are other more effective ways to distribute malware via DNS poisoning, but while these attacks have a greater impact and can affect a larger number of users, but also makes them easier to detect and block. This particular attack was intended as a low-profile one and last longer, and even if China Netcom have been notified, it is still uncertain whether the affected servers have been patched.