Recently, a new method of hijacking an internet user's URL request for a legitimate website and re-directing it to a maliciously designed site that
installs spyware has surfaced. Using a previously discovered flaw in some corporate internet security appliances, someone was able to take requests
for sites, including Google and eBay, and point them toward servers that take advantage of holes in web browser security to install spyware which can
steal valuable personal data.
Phishers pushing spyware through DNS holes
The warning follows reports Friday that some people's computers were being redirected from sites such as eBay and Google to malicious Web servers
that attempted to install spyware. The compromises affected 30 to 40 networks, according to Jason Lam, incident handler for the Internet Storm Centre,
which tracks network threats.
"It's hard to tell how many people were impacted by this, but it wasn't very widespread," Lam said Tuesday.
The attacks compromised DNS servers to replace the numeric addresses of popular Web sites with the addresses of malicious sites run by the attackers.
Known as DNS poisoning, the scheme redirects Internet users to bogus sites where they may be asked for sensitive information or have spyware installed
on their PCs.Please visit the link provided for the complete story.
This particular attack appears to have been directed at a number of corporate security appliances distributed by Symantec. The vulnerability that was
exploited in some cases had been identified in June 2004 and hotfixes were issued, but it has not been established if the compromised DNS caches were
on un-patched machines or if the patch that was issued failed to fully correct the problem.
More disturbing are the reports of DNS cache poisoning from organizations that do not use Symantec products. With this news, it appears that there may
be a broader attack in the works.
The Internet Storm Center
has noted that those who were victims of these URL re-directs ran the risk of having the
installed using an ActiveX control flaw that was fixed in Service Pack 2 for Microsoft Windows XP. Not much is known about the
nature of this spyware, but as information comes out it will be shared here.
If you think you have been affected by the ABX Toolbar exploit, the following removal instructions were provided by ISC.
Run Regedit and search for "abx" (do not include quotes). Remove all references containing "abx" from the registry. There are at least two Keys in
the registry that contain several Values related to this spyware. On my test workstation, one of them was: HKCU\software\xbtb01186\toolbar.
I am not sure, but the "xbtb01186" may be a randomly generated Key, but within that Key will be several Values with "abx" references. Remove the
entire Key starting at "xbtb01186".
You will need to delete two files in the "Download Program Files" directory under your Windows directory. In Windows XP they will be under
c:\windows\Download Program Files. In NT they will be under c:\winnt\Download Program Files. The file names are:
The "Download Program Files" directory stores the ActiveX Cache used when starting up Internet Explorer. This directory may be hidden, so make sure
your Explorer settings allow you to view hidden files.
The above was taken from 2005-03-07 ISC Diary
DNS Hijacking attacks, while still not common, pose a growing threat to internet users. The practice of
to steal user data currently relies on tricking someone into visiting a site with a spoofed address using a link in email, instant
message, etc. This new technique is particularly devious because it can use the actual
address of a site to take unsuspecting consumers to a
fake page, thus creating a sense of security that may make them more likely to reveal usernames, passwords, and account information. This method could
be virtually undetectable to most internet users.
This could be the new face of computer crime since the target of the actual attack in not individual computers, but larger corporate services that
affect thousands of consumers.
Please see the ATSNN Exclusive report on the subject of DNS Hijacking listed below for more details on the potential of this threat.
Related ATS Discussions
EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster
Related News Links
Global DNS cache poisoning attack?; Update
Possible Domain Poisoning Underway
Symantec Gateway Security Products DNS Cache Poisoning
Symantec Hotfix Information
[edit on 9-3-2005 by Spectre]