Massive DNS poisoning: What happened to brazilian ISPs?

What is purpose for DNS cache poisoning attacks?

DNS cache poisoning is an  attack methodology used to compromise in the Domain Name System and is made introduceding data artifacts into a DNS name server’s cache database that did not originate from authoritative sources. Consider that the domain name server translates a domain name into an specific IP address related to the host, so poisoning a DNS is possible to force it to return not correct IP address and this makes it possible traffic redirection to another destination.

In this mode trusted URLs may be associated with rogue IP addresses and thus a user might be exposed to phishing, exploits or other malicious websites. This redirection is completely transparent, users just type the URL of the desired web site into their browser. It only takes one malicious change – it’s not hard to imagine how devastating the damage caused by a rogue DNS server can be.

The DNS system is a massive distribioted database with billions of domain names and IP addresses.  The system handles billions of requests everyday as people surf the internet, send email, a create new websites.

During last weeks, according to Fabio Assolini a Kaspersky Lab threat expert, several Brazilian ISPs have fallen victim to a series of DNS cache poisoning attacks. Users have been redirected to infected web site to install malware on they machines before to be connected to desidered sites. Some incidents have also featured attacks on network devices, where routers or modems are compromised remotely.  Let consider that Brazil has more than 73 million of computers that access to internet using main ISPs and this massive attack has been addressed versus a hugh quantity of customers. Consider that each of them was not able to access to principal web sites like YouTube, Gmail and Hotmail. In all cases, users were asked to run a malicious file as soon as the website opened. It was called ‘Google Defence’ software required to use the search engine. Of course Kaspersky’s threat researcher says the file is really a trojan banker that exploits CVE-2010-4452 and running arbitrary code in an old installation of JRE.

The DNS cache poisoning attacks is primary used to redirect all users to phishing websites or to infected web site that try to install malware software. Similar attacks as been done versus network devices of some companies that reported a remote access to their routers to change DNS configurations. In this case the observed efeect is similar so when employees of the attacked companies tried to open any website they were requested to execute a malicious Java applet.

But how is possible to attack network devices directly? Main problems related network devices are:

• Weak default passwords
• Insecure default configurations
• No password management policy
• Firmware vulnerabilities

The possible consequences of unauthorized access to the router are

• The capture of network traffic
• The risk of open backdoors (port forwarding)
• The ability to eavesdrop on VoIP conversations
• The theft of WEP/WPA keys
• The possibility to change a device’s configuration, password included

How can mitigate the problem related DNS poisoning?

Cache poisoning can be prevented on DNS servers introducing mechanisms to increase trusting level of the information passed to them by other DNS servers. Versions of BIND can do it.

Secure DNS (DNSSEC) uses cryptographic electronic signatures signed with a trusted public key certificate to determine the authenticity of data. DNSSEC can fight cache poisoning attacks, but as of 2008 was not yet widely deployed.  In 2010 DNSSEC was implemented in the Internet root zone servers.

References

http://www.securelist.com/en/blog?author=52

http://www.dnssec.net/