[ISN] Scammers use Symantec, DNS holes to push adware

From: InfoSec News (isn@private)
Date: Mon Mar 07 2005 - 23:20:34 PST


By Paul Roberts
MARCH 07, 2005

Online scam artists are manipulating the Internet's directory service
and taking advantage of a hole in some Symantec Corp. products to
trick Internet users into installing adware and other annoying
programs on their computers, according to an Internet security
monitoring organization.

Customers who use older versions of Symantec's Gateway Security
Appliance and Enterprise Firewall are being hit by Domain Name System
(DNS) "poisoning attacks." Such attacks cause Web browsers pointed at
popular Web sites such as Google.com, eBay.com and Weather.com to go
to malicious Web pages that install unwanted programs, according to
Johannes Ullrich, chief technology officer at the SANS Institute's
Internet Storm Center (ISC).

The attacks, which began on Thursday or Friday, may be one of the
largest to use DNS poisoning, Ullrich said.

Symantec issued an emergency patch for the DNS poisoning hole on
Friday. The company didn't immediately respond to requests for comment

The DNS is a global network of computers that translates requests for
reader-friendly Web domains, such as www.computerworld.com, into the
numeric IP addresses that machines on the Internet use to communicate.

In DNS poisoning attacks, malicious hackers take advantage of a
feature that allows any DNS server that receives a request about the
IP address of a Web domain to return information about the address of
other Web domains.

For example, a DNS server could respond to a request for the address
of www.yahoo.com with information on the address of www.google.com or
www.amazon.com, even if information on those domains wasn't requested.  
The updated addresses are stored by the requesting DNS server in a
temporary listing, or cache, of Internet domains and used to respond
to future requests.

In poisoning attacks, malicious hackers use a DNS server they control
to send out erroneous addresses to other DNS servers. Internet users
who rely on a poisoned DNS server to manage their Web surfing requests
might find that entering the URL of a well-known Web site directs them
to an unexpected or malicious Web page, Ullrich said.

Some Symantec products, such as the Enterprise Security Gateway,
include a proxy that can be used as a DNS server for users on the
network that the product protects. That DNS proxy is vulnerable to the
DNS poisoning attack, Symantec said on its Web site. Symantec's
Enterprise Firewall Versions 7.04 and 8.0 for Microsoft Corp.'s
Windows and Sun Microsystems Inc.'s Solaris have the DNS poisoning
flaw, as do Versions 1.0 and 2.0 of the company's Gateway Security

Internet users on some networks protected by the vulnerable Symantec
products had requests for Web sites directed to attack Web pages that
attempted to install the ABX tool bar, a search tool bar and spyware
program that displays pop-up ads, Ullrich said.

The DNS poisoning attacks were easy to detect because Web sites
involved in the attack don't mimic the sites that users were trying to
reach, Ullrich said. However, DNS poisoning could be a potent tool for
online identity thieves who could set up phishing Web sites that are
identical to sites like Google.com or eBay.com but secretly capture
user information, he said.

Some of those customers told ISC that they installed a patch that the
company issued in June to fix a DNS cache-poisoning problem in many of
the same products, but they were still susceptible to the latest DNS
cache-poisoning attacks, according to information on the ISC Web site.

Ullrich said he doesn't believe that Symantec's customers are being
targeted, just that they are susceptible to attacks that are being
launched at a broad swath of DNS servers.

The ISC is collecting the Internet addresses of Web sites and DNS
servers used in the attack and trying to have them shut down or
blacklisted, ISC said.

Symantec customers using one of the affected products are advised to
install the most recent hotfixes from the company, Ullrich said.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Tue Mar 08 2005 - 01:58:00 PST