Websense Security Labs ThreatSeeker Network: The customers of China Netcom (CNC) has been poisoned
August 2008 by Websense
Websense Security Labs ThreatSeeker Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor’s browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.
These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.
A user querying an unaffected DNS server is taken through to a clean site, whereas a user querying a poisoned name server is taken to a malicious site under the hacker’s control. The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.