14 DAY TRIAL // Websense Inc., a major company that offers web security filtering and solutions, has discovered that the DNS servers of China Netcom (CNC), one of the country's leading ISPs, are compromised. The servers suffer from poisoned DNS entries injection, resulting from exploitation of the flaw in the DNS system core, uncovered earlier this year by Dan Kaminsky.
The flaw in the DNS system is considered to be one of the biggest vulnerabilities ever discovered, and has been surrounded in secrecy in an attempt to quickly find a solution. The vulnerability, if exploited successfully, allows an attacker to inject fake DNS entries into a DNS server. This makes it possible for the users to be redirected to a malicious website even if they are trying to access an otherwise legit URL address.
The security researchers and companies working on this developed a patch that has been deployed to an impressive number of DNS servers worldwide. However, as we previously reported, the patch proved inefficient by only lowering the success rate of an attack and increasing the time required to exploit it, instead of completely blocking such attempts.
The security researchers working for the Websense lab in Beijing discovered the attack by mistyping an URL address. Some of the researchers working for the lab have Netcom as their internet service provider. When a user types an address that doesn't exist in the browser's address bar, the Netcom's DNS servers are supposed to redirect him to a local advertisement service instead of an error page. ISPs use this kind of practice to attract additional revenue.
The successful exploitation of the vulnerability in CNC's DNS servers enabled the attackers to redirect the users to rogue websites instead of the advertisement system. These contain an iframe that serves malicious code in an attempt to exploit vulnerabilities in browser plug-ins, such as Real Player and Flash Player, or computer applications such as the Microsoft Snapshot Viewer.
Security Research Manager for Websense's European lab, Carl Leonard, noted that while other DNS poisoning attacks have also been noticed, what makes this attack so interesting is the method used, which means "the malcode authors are trying to keep under the radar." If successful exploitation of the vulnerabilities present in the abovementioned applications occurs, a trojan gets downloaded into the victim's computer. Even though these applications have been patched by their developers, the fact that the attackers still chose this approach makes Mr. Leonard think that "people haven't applied those patches."
There are other more efficient ways to deploy malware through DNS entries poisoning, but while those attacks have a greater impact and could affect a larger number of users, it also makes them easier to detect and block. This particular attack was meant to be a low-profile one and to last longer and, even though China Netcom has been notified, it is still uncertain if the affected servers have been patched.