China Netcom falls prey to DNS cache poisoning

One of China's largest ISPs (Internet service providers) has fallen victim to a dangerous vulnerability in the Internet's addressing system, according to security vendor Websense.

The flaw, which has been described as one of the most serious ones to ever affect the Internet, can cause Web surfers to be redirected to fraudulent Web sites even if the URL (Uniform Resource Locator) has been typed correctly in a browser's address bar.

Discovered by security researcher Dan Kaminsky, the problem is rooted in the DNS (Domain Name System). When a user types a Web address into a browser, the request goes to a DNS server or a cache, which returns the corresponding numerical IP (Internet protocol) address for a Web site.

But the flaw allows the DNS server to be filled with wrong information and direct users to malicious Web sites. The China Netcom attack is particularly interesting because it only affects those who misspell certain URLs, said Carl Leonard, security research manager for Websense's European lab.

The latest hack was discovered by Websense's Beijing lab, some of whose researchers use China Netcom as their ISP, Leonard said. Websense has seen other DNS attacks, but chose to publicize this particular one due to its interesting execution, he said.

Hackers have tampered with one of China Netcom's DNS servers to only redirect users who type, for example, gogle.cn rather than google.cn. That way, fewer users are directed to malicious Web sites, but the strategy is to keep the attacks lower-profile so as to not raise attention.

"The malcode authors are trying to keep under the radar," Leonard said.

Victims are redirected to malicious Web sites -- some of which are still active -- that try to exploit known vulnerabilities in software such as RealNetworks' RealPlayer multimedia player and Adobe System's Flash Player.

Another exploit attempts to take advantage of a problem with an ActiveX control for Microsoft's Snapshot Viewer, used to view reports for Microsoft Access, a relational database program.

Although Adobe, Microsoft and RealPlayer have issued patches for some of those vulnerabilities, hackers still see opportunities. "It tells us people haven't applied those patches," Leonard said.

If an exploit is successful, the PC will download a Trojan horse program that shuts off updates for antivirus software, Leonard said. Websense has notified China Netcom but are unsure yet if the DNS server has been patched.

Kaminsky and other researchers coordinated a massive secret campaign with vendors to patch their DNS software, but details on how to exploit the flaw were leaked on July 21. However, not all ISPs have patched yet, putting some users at risk. Also, the patches available just decrease the likelihood of success of an attack rather than completely securing a DNS server against an attack, Leonard said.

"There needs to be a longer-term solution made available," Leonard said.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies