"Brazil ISP servers under massive DNS cache Poisoning attack"warns Kaspersky Lab expert Fabio Assolini. When Brazilians try to visit facebook,google,youtube and othe websites, pop message asked to install Google Defence or some java applet in order to access the sites.
Some innocent peoples will install without knowing what problem will occur. if you are the reader of EHN or Know about Security risks , you know what happen. Yes, it will spread the banking Trojan.
"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.
According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.
80.XX.XX.198/Google_setup.exeIn fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list.
80.XX.XX.198/google_setup.exe
80.XX.XX.198/Google_Setup.exe
80.XX.XX.198/ad2.html
80.XX.XX.198/flash.jar
80.XX.XX.198/FaceBook_Complemento.exe
80.XX.XX.198/ad.html
134XX69350/AppletX.class
80.XX.XX.198/YouTube_Setup.exe
80.XX.XX.198/FlashPlayer.class
80.XX.XX.198/google2.exe
80.XX.XX.198/crossdomain.xml
80.XX.XX.198/favicon.ico
Infecting peoples with DNS Poisoning attack is very easy because users believe their trusted sites. Cyber criminals paid an employee who has access to the DNS records to modify them so that user are redirected to the malicious site.
Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.
But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.
The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.
