Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Another round of DNS cache poisoning

Published: 2005-03-30
Last Updated: 2005-03-31 01:50:43 UTC
by Davis Sickmon (Version: 1)
0 comment(s)

Another round of DNS cache poisoning



(from handler Kyle Haugsness)



We are investigating another round of DNS cache poisoning. Reports have come in from some very large commercial organizations and they report using only Windows DNS servers that are secured against the attack or using Windows 2003. We are trying to identify whether this is a bug on Windows DNS servers. The symptoms of the current attack are as follows:



1. We still have not identified the trigger. If you know how people are being forced to the malicious DNS server (below), please let us know.



2. The malicious DNS server is 216.127.88.131. We are in the process of trying to get this IP address blackholed. In the meantime, the server is poisoning the entire .COM domain. It returns the following 3 IP addresses for any hostname lookup in .COM:



  209.123.63.168 / 64.21.61.5 / 205.162.201.11 



3. The 3 IP addresses above return a simple HTML page with the following embedded URLs. These servers are trying to drop malware on your machine, so DO NOT browse to them:



  vparivalka .org /G7 /anticheatsys.php?id=36381

find-it .web-search .la


-----------

Most of the email coming in and going on between the handlers right now is centered around the working being done with Windows DNS cache poisoning. I'll touch real quick on the various other mailbag items from the last 24 hours:

For people using Apple servers, there's a new security update available (2005-03) as of March 21st, and apparently a re-release on March 28th. Quick highlights are: AFP DoS fix and file permission change, a fix for local security bypass via Bluetooth setup, buffer overflow in Core Foundation, Cyrus IMAP server buffer overflow and DoS, Cyrus ASAL overflow and potential remote code execution, Mailman directory traversal problem, Safari IDN fix, Samba remote DoS and potential remote code execution, and fixes to Squirelmail and telnet. At the same time non-server machines had the same security update released.

Someone also reported another fake Blue Mountain eCard site. I haven't been able to see the malware it's dishing out - at the moment the site appears to be having some problems.

Phishing is still alive and well. However, we typically think about it from the computer standpoint, being computer specialists and all. Markus Martin emailed in something amusing - a warning from his local bank about dropping your deposit or corrospondance with the bank into the mail box outside. It appears that there's been a problem with people putting fake maildrops outside of the bank, and picking up the mailbox later.

Davis Ray Sickmon, Jr
Handler on Duty
Keywords:
0 comment(s)
Diary Archives