Global DNS cache poisoning attack?; Update...

Published: 2005-03-04
Last Updated: 2005-03-04 23:50:12 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
We are currently investigating a report from several sites that indicate users being re-directed to malware sites. At this time it appears to be a DNS cache poisoning attack (not a spyware, adware, or browser hijack) and we are seeking more information.

Popular domain names such as,, and are being directed to the following servers. Of course when connecting to these servers, "bad things" (tm) will happen, so don't go to them. ( (,, (,,

If your site has been affected, please submit the following information:

1. When the attack was first noticed and whether it is still occurring.

2. What DNS server software you having facing the Internet. This information will be kept in strictest confidence.

3. If you identified any other sites that users were being re-directed to (besides the ones listed above).

Updates will be made to this diary as we find out more information.

Update at 23:40 UTC

There appear to be two issues at hand. The first is the DNS cache poisoning. At this time, it appears to be affecting Symantec firewalls with DNS caching. If you recall, there was a vulnerability back in July that made these products very succeptable to DNS cache poisoning. Some victims have responded that they applied the patch, but were still affected. So this could be a different vulnerability or the patch didn't work properly. Maybe someone at Symantec could enlighten us?

The second issue is the ABX toolbar spyware that gets loaded onto the machine when visiting the target servers. This appears to happen using an ActiveX control. Users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit with the spyware if they visit the server.

Unfortunately, information on the ABX toolbar spyware is very limited at this time and it doesn't seem to be detected yet by the normal toolset of spyware/antivirus tools.

In the meantime, we have been working to get the IP addresses and DNS servers supporting this attack shutdown. Some of the IP addresses are already blackholed.

0 comment(s)


Diary Archives