[forward from namedroppers ietf dns wg mail list, of interest to nanog] This just appeared on the SANS list. Time to stop arguing and get DNSSEC deployed. Global DNS cache poisoning attack?; Update... We are currently investigating a report from several sites that indicate users being re-directed to malware sites. At this time it appears to be a DNS cache poisoning attack (not a spyware, adware, or browser hijack) and we are seeking more information. Popular domain names such as google.com, ebay.com, and weather.com are being directed to the following servers. Of course when connecting to these servers, "bad things" (tm) will happen, so don't go to them. www.7sir7.com (217.160.169.87) 123xxl.com (217.160.169.87, 207.44.240.79, 216.127.88.131) abx4.com (217.160.169.87, 207.44.240.79, 216.127.88.131) If your site has been affected, please submit the following information: 1. When the attack was first noticed and whether it is still occurring. 2. What DNS server software you having facing the Internet. This information will be kept in strictest confidence. 3. If you identified any other sites that users were being re-directed to (besides the ones listed above). Updates will be made to this diary as we find out more information. Update at 23:40 UTC There appear to be two issues at hand. The first is the DNS cache poisoning. At this time, it appears to be affecting Symantec firewalls with DNS caching. If you recall, there was a vulnerability back in July that made these products very succeptable to DNS cache poisoning. Some victims have responded that they applied the patch, but were still affected. So this could be a different vulnerability or the patch didn't work properly. Maybe someone at Symantec could enlighten us? http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.ht ml The second issue is the ABX toolbar spyware that gets loaded onto the machine when visiting the target servers. This appears to happen using an ActiveX control. Users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit with the spyware if they visit the server. Unfortunately, information on the ABX toolbar spyware is very limited at this time and it doesn't seem to be detected yet by the normal toolset of spyware/antivirus tools. In the meantime, we have been working to get the IP addresses and DNS servers supporting this attack shutdown. Some of the IP addresses are already blackholed. [eof]
On Sat, 2005-03-05 at 14:43 -0800, william(at)elan.net wrote:
Global DNS cache poisoning attack?; Update...
It's a bit frustrating that problems this old and well-known can actually be used to cause damage. The easiest way to check if you are vulnerable to DNS poisoning is to try to poison yourself. Try my "poison yourself" page here: http://ketil.froyn.name/poison.html It tries to redirect www.example.com to a fake IP (the same one as I host my website on), where I have a virtualhost for www.example.com with a plain html page. It'll tell you if you were poisoned. Cheers, Ketil Froyn
On Mon, Mar 07, 2005 at 11:38:53AM +0000, Ketil Froyn said something to the effect of:
On Sat, 2005-03-05 at 14:43 -0800, william(at)elan.net wrote:
Global DNS cache poisoning attack?; Update...
It's a bit frustrating that problems this old and well-known can actually be used to cause damage.
Uh...see tcp ports 135 through 139, and give thought to smtp as a protocol. And I hear the water is lovely in nis, nfs, and rpc this time of year... ;P
The easiest way to check if you are vulnerable to DNS poisoning is to try to poison yourself. Try my "poison yourself" page here:
Nice, handy resource. What's up with the patching problems, btw? whee, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis custodiet ipsos custodes?..
It tries to redirect www.example.com to a fake IP (the same one as I host my website on), where I have a virtualhost for www.example.com with a plain html page. It'll tell you if you were poisoned.
Cheers, Ketil Froyn
participants (3)
-
Ketil Froyn
-
Rachael Treu
-
william(at)elan.net