DNS poisoning

  • Thread starter Thread starter plun
  • Start date Start date
P

plun

Hi

Interresting article from SANS about dnspoisoning, spyware
and yellow alert in Infocon.


http://isc.sans.org/diary.php?date=2005-04-04

and

http://isc.sans.org/presentations/dnspoisoning.php

#############################################
## What was the motivation for this type of attack?
#############################################

The motivation for these attacks is very simple: money. The
end goal of
the first attack was to install spyware/adware on as many
Windows
machines as possible. A good spyware/adware program can
generate
significant revenue for the attacker.
 
I've seen this firsthand a number of weeks ago--very strange. In a small
office with 4 PC's, a Mac, and a Windows 2000 server behind a DSL router,
only the Mac had a problem. On the Mac, both of two browsers--IE or Apple's
browser, had the same issue--attempts to reach properly typed URL's resulted
in reaching one of those typical "search sites" that we see with spyware.

Was this spyware on the Mac? Something new that worked against both
browsers? In the end we blamed DNS, and the problem went away, but not
without considerable effort and angst on the part of the Mac's owner, who
reinstalled the OS, and did lots of research to try to solve the problem
first. This happened weeks before I saw any mention of this issue at
Sans.org--and early reports there didn't seem to fit our situation--they
mentioned specific appliances that could be compromised--and in this case
the issue was apparently the ISP's DNS. I think it was this issue
however--the symptoms fit perfectly--but I haven't verified it with the ISP.
 
Bill said:
I've seen this firsthand a number of weeks ago--very strange. In a small
office with 4 PC's, a Mac, and a Windows 2000 server behind a DSL router,
only the Mac had a problem. On the Mac, both of two browsers--IE or Apple's
browser, had the same issue--attempts to reach properly typed URL's resulted
in reaching one of those typical "search sites" that we see with spyware.

Was this spyware on the Mac? Something new that worked against both
browsers? In the end we blamed DNS, and the problem went away, but not
without considerable effort and angst on the part of the Mac's owner, who
reinstalled the OS, and did lots of research to try to solve the problem
first. This happened weeks before I saw any mention of this issue at
Sans.org--and early reports there didn't seem to fit our situation--they
mentioned specific appliances that could be compromised--and in this case
the issue was apparently the ISP's DNS. I think it was this issue
however--the symptoms fit perfectly--but I haven't verified it with the ISP.
Click to expand...

Microsoft have updated this kb about dns poisoning:

http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

And this was against Windows beacuse trojans was also
downloaded.

#################################################
## What malware was placed on my machine if I visited the
evil servers?
#################################################

The webservers in the first/third attack tried to drop a
spyware program
onto the victim's computer using a Microsoft Internet Explorer
vulnerability for ANI cursor handling. The vulnerability
was released
on January 11, 2005 and further technical information can be
found
here:


http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx

Proof of concept exploit code was publicly released soon
after the
vulnerability was announced. The filenames being used in
this attack
were: abx.ani and abx22.ani. Using VirusTotal, these ANI
files were
detected as:

Kaspersky: Trojan-Downloader.Win32.Ani.d
McAfee: Exploit-ANIfile
BitDefender: Exploit.Win32.MS05-002.Gen

The ANI exploit attempted to download one of the following two
executable files (same exact file) on the webserver:
abx_search.exe or
mhh.exe. These binaries were detected as:

Kaspersky: AdWare.ToolBar.SearchIt.h
Panda: Adware/AbxSearch

If you were infected by this toolbar, you should run your
favorite
spyware/adware program to identify and clean it from your
computer.
 
I know that DNS poisoning can affect Windows-based DNS servers. I've
changed the servers I administer not to forward to the ISP's servers for
that reason--a DNS server set to forward to a poisoned forwarder can become
infected through that route.

I'm not surprised that there was malware at the site that users were led
to--needless to say they didn't have anything that would affect the Mac, and
in this particular case, the Windows Server and Windows workstations in the
same office weren't affected.
 
Back
Top