Brazilian ISPs have DNS servers poisoned

BRAZILIAN internet service providers (ISP) have fallen victim to a DNS poisoning scheme.

Several Brazilian ISPs, some of which have three to four million subscribers, have had their DNS records poisoned, sending unwitting users to fraudulent internet destinations. According to security outfit Kaspersky, the DNS records for Youtube, Gmail and Hotmail were poisoned for the ISPs' subscribers, with users asked to download a malicious file when accessing the web sites.

Kaspersky highlighted one attack where internet users trying to visit Google's Brazilian search page were asked to download "Google Defence". The download is actually a trojan that the firm detects as Exploit.Java.CVE-2010-4452.a.

DNS poisoning can be an extremely effective attack because it is transparent to the end user. Attempts to poison DNS records usually centre around exploiting software vulnerabilities, however in this case Kaspersky says the attackers had a man on the inside.

Kaspersky's Fabio Assolini wrote that a 27-year-old employee at an ISP was arrested on accusations that he was participating in changing DNS caches at that ISP. The changes meant the users of that ISP were redirected to phishing web sites.

Although anti-virus software apparently is able to detect the malware, real mitigation comes in the choice of DNS server. Typically one would hope that their ISP's DNS server is secure, however there are free alternatives from firms such as Google that should also be considered. µ