A 27-year-old employee of a medium-sized ISP in the southern part of Brazil has been arrested, after a DNS cache-poisoning attack spread across the country and pointed millions of users to a Trojan aimed at capturing banking and other credentials.
Last week, millions of Brazilians had their Internet connections hijacked, prompting them to install malicious software after visiting popular destinations such as Hotmail, Gmail, YouTube, and local portals Uol, Terra, and Globo.
Kaspersky’s Fabio Assolini reported on the attacks and noted that users were being told to install a banking Trojan, disguised as a security program called 'Google Defense'
“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo,” he said.
“[Redirected users were asked] to download and install the so-called “Google Defence” software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there.”
As mentioned, Brazil’s Federal Police arrested an employee of a medium-sized ISP in the southern part of the country. It’s understood that, for a period of around 10 months, he used his access to alter the company's DNS cache, which, in turn, forced its customers toward a malicious server handing out the banking malware.
Kaspersky suspects that similar internal compromises are also happening across Brazil.
In related news, businesses across the country were reporting that their networking equipment, such as modems and routers, were remotely compromised and their DNS settings had been changed in order to join the attack.
Corporate users were redirected to the malicious server and told to install a Java applet, which in fact was another variant of the aforementioned banking Trojan.
“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini encouraged.
The attack's exact number of victims is unknown, but there are an estimated 73 million devices connected to the Internet in Brazil, and the top ISPs in the country manage about 3-4 million people each. So, even if only a small percentage were successfully targeted, the overall total number of victims is likely to be frightening.