The Tech Herald

Insider arrested after DNS-poisoning attack targets Brazilian ISPs

by Steve Ragan - Nov 7 2011, 20:57

A 27-year-old employee of a medium-sized ISP in the southern part of Brazil has been arrested, after a DNS cache-poisoning attack spread across the country and pointed millions of users to a Trojan aimed at capturing banking and other credentials.

Last week, millions of Brazilians had their Internet connections hijacked, prompting them to install malicious software after visiting popular destinations such as Hotmail, Gmail, YouTube, and local portals Uol, Terra, and Globo.

Kaspersky’s Fabio Assolini reported on the attacks and noted that users were being told to install a banking Trojan, disguised as a security program called 'Google Defense'

“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo,” he said.

“[Redirected users were asked] to download and install the so-called “Google Defence” software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there.”

As mentioned, Brazil’s Federal Police arrested an employee of a medium-sized ISP in the southern part of the country. It’s understood that, for a period of around 10 months, he used his access to alter the company's DNS cache, which, in turn, forced its customers toward a malicious server handing out the banking malware.

Kaspersky suspects that similar internal compromises are also happening across Brazil.

In related news, businesses across the country were reporting that their networking equipment, such as modems and routers, were remotely compromised and their DNS settings had been changed in order to join the attack.

Corporate users were redirected to the malicious server and told to install a Java applet, which in fact was another variant of the aforementioned banking Trojan.

“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini encouraged.

The attack's exact number of victims is unknown, but there are an estimated 73 million devices connected to the Internet in Brazil, and the top ISPs in the country manage about 3-4 million people each. So, even if only a small percentage were successfully targeted, the overall total number of victims is likely to be frightening.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Shelby GT350 Mustang Pictures

We have added a bunch of pictures of the all-new Shelby GT350 Mustang from Ford. The ne...

All-new Shelby GT350 Mustang

Ford have revealed details of the new Shelby GT350 Mustang. First introduced in 1965 the new...

Best Cars To Buy In 2015

Leading vehicle research company Kelley Blue Book has released its list of the best cars to ...

A.C. Milan Take On Audi R8

Five A.C. Milan stars take on an Audi R8 in a game of street soccer in a new ad for Toyo Tir...

Jaguar 2016 F-TYPE R Coupe All-Wheel-Drive

Jaguar has unveiled the 2016 F-TYPE R Coupe, the first to feature all-wheel-drive. The 2016 ...