Massive DNS Poisoning Affects Major Brazilian ISPs
By on November 8th, 2011

Brazil is currently under a massive DNS cache poisoning attack, reports Kaspersky Labs. When a user tries to visit popular, local and global sites, such as Google, Yahoo and Facebook, a popup like the one shown below is displayed. It asks the user to download a security suite called Google Defender in order to access the site.

clip_image002

As Kaspersky’s Fabio Assolini explains in his blog post,

In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there:

80.XX.XX.198/Google_setup.exe

80.XX.XX.198/google_setup.exe

80.XX.XX.198/Google_Setup.exe

80.XX.XX.198/ad2.html

80.XX.XX.198/flash.jar

80.XX.XX.198/FaceBook_Complemento.exe

80.XX.XX.198/ad.html

134XX69350/AppletX.class

80.XX.XX.198/YouTube_Setup.exe

80.XX.XX.198/FlashPlayer.class

80.XX.XX.198/google2.exe

80.XX.XX.198/crossdomain.xml

80.XX.XX.198/favicon.ico

In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list. According to statistics in KSN (Kaspersky Security Network) all the infected users are from Brazil; we registered more than 800 attempts to access this site which were thwarted by our web antivirus.

The attack has been going on for some time. It is suspected that employees of ISP companies, who had access to DNS records, were paid to change them in order to redirect the users to malicious sites. Fabio also notes that an arrest has already been made in this case by the Brazilian Federal Police. The accused (who is an employee of an ISP company) allegedly changed the DNS records over a 10 month period.

So, if you are from Brazil and have experienced similar pop-ups, we recommend that you do not click it. Follow the usual procedures such as updating your OS, security software as well as all other install programs and run a complete system scan. Kaspersky also suggests changing your DNS provider to someone other than your ISP, such as  Open DNS or Google DNS.

Tags: ,
Author: Nithin Ramesh Google Profile for Nithin Ramesh
Nithin is a blogger and a Windows security enthusiast. He is currently pursuing Bachelors in Electronics and Communication. Apart from technology his other interests include reading and rock music. His Twitter handle is @nithinr6

Nithin Ramesh has written and can be contacted at nithin@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN