Brazil is currently under a massive DNS cache poisoning attack, reports Kaspersky Labs. When a user tries to visit popular, local and global sites, such as Google, Yahoo and Facebook, a popup like the one shown below is displayed. It asks the user to download a security suite called Google Defender in order to access the site.
As Kaspersky’s Fabio Assolini explains in his blog post,
In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there:
In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list. According to statistics in KSN (Kaspersky Security Network) all the infected users are from Brazil; we registered more than 800 attempts to access this site which were thwarted by our web antivirus.
The attack has been going on for some time. It is suspected that employees of ISP companies, who had access to DNS records, were paid to change them in order to redirect the users to malicious sites. Fabio also notes that an arrest has already been made in this case by the Brazilian Federal Police. The accused (who is an employee of an ISP company) allegedly changed the DNS records over a 10 month period.
So, if you are from Brazil and have experienced similar pop-ups, we recommend that you do not click it. Follow the usual procedures such as updating your OS, security software as well as all other install programs and run a complete system scan. Kaspersky also suggests changing your DNS provider to someone other than your ISP, such as Open DNS or Google DNS.