Anti-Virus Company Avira Homepage Defaced - SANS Internet Storm Center

Anti-Virus Company Avira Homepage Defaced
Update From Avira (http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/) "It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers." ----------- The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira.com. Currently, avira.com uses the following NS records: $ dig +short avira.com NS ns2.radioum.com.br. n1.ezmail.com.br. ns1.radioum.com.br. n2.ezmail.com.br. $ dig +short A avira.com 173.193.136.42 Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates. According to domaintools.com, the last address for avira.com was 62.146.210.2 and that address still appears to host Avira's site. A cached whois record from a couple days ago lists these DNS servers for avira.com: NS1.AVIRA-NS.NET NS2.AVIRA-NS.DE 195.34.161.132 NS3.AVIRA-NS.NET NS4.AVIRA-NS.DE 212.7.178.67 The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions. I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far. Partial screenshot of the site: Our reader Stuart sent us a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now. I can't tell if that defacement was DNS related or not. Instant messaging software maker Whatsapp was appearently a third victim of this attack. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019	Johannes 3577 Posts ISC Handler
Subscribe	Oct 8th 2013 5 years ago
- http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/ Oct 8 2013 - "... It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers. Our internal network has not has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again... We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services..." .	PC.Tech 34 Posts
Quote	Oct 8th 2013 5 years ago
The article title is inaccurate. DNS hijacking is a little more outside of Avira's control than their homepage. On the other hand for customers the result is still dangerous. It's bad PR for Avira anyway.	G.Scott H. 48 Posts
Quote	Oct 8th 2013 5 years ago

Update

From Avira (http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/)

"It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers."

-----------

The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira.com. Currently, avira.com uses the following NS records:

$ dig +short avira.com NS
ns2.radioum.com.br.
n1.ezmail.com.br.
ns1.radioum.com.br.
n2.ezmail.com.br.

$ dig +short A avira.com
173.193.136.42

Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates.

According to domaintools.com, the last address for avira.com was 62.146.210.2 and that address still appears to host Avira's site.

A cached whois record from a couple days ago lists these DNS servers for avira.com:

NS1.AVIRA-NS.NET
NS2.AVIRA-NS.DE              195.34.161.132
NS3.AVIRA-NS.NET
NS4.AVIRA-NS.DE              212.7.178.67

The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions.

I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far.

Partial screenshot of the site:

Our reader Stuart sent us a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now. I can't tell if that defacement was DNS related or not. Instant messaging software maker Whatsapp was appearently a third victim of this attack.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019

Johannes

3577 Posts
ISC Handler

- http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/
Oct 8 2013 - "... It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers. Our internal network has not has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again... We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services..."
.

PC.Tech

34 Posts

The article title is inaccurate. DNS hijacking is a little more outside of Avira's control than their homepage. On the other hand for customers the result is still dangerous. It's bad PR for Avira anyway.

G.Scott H.

48 Posts