The Tech Herald

Insider arrested after DNS-poisoning attack targets Brazilian ISPs

by Steve Ragan - Nov 7 2011, 20:57

A 27-year-old employee of a medium-sized ISP in the southern part of Brazil has been arrested, after a DNS cache-poisoning attack spread across the country and pointed millions of users to a Trojan aimed at capturing banking and other credentials.

Last week, millions of Brazilians had their Internet connections hijacked, prompting them to install malicious software after visiting popular destinations such as Hotmail, Gmail, YouTube, and local portals Uol, Terra, and Globo.

Kaspersky’s Fabio Assolini reported on the attacks and noted that users were being told to install a banking Trojan, disguised as a security program called 'Google Defense'

“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo,” he said.

“[Redirected users were asked] to download and install the so-called “Google Defence” software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there.”

As mentioned, Brazil’s Federal Police arrested an employee of a medium-sized ISP in the southern part of the country. It’s understood that, for a period of around 10 months, he used his access to alter the company's DNS cache, which, in turn, forced its customers toward a malicious server handing out the banking malware.

Kaspersky suspects that similar internal compromises are also happening across Brazil.

In related news, businesses across the country were reporting that their networking equipment, such as modems and routers, were remotely compromised and their DNS settings had been changed in order to join the attack.

Corporate users were redirected to the malicious server and told to install a Java applet, which in fact was another variant of the aforementioned banking Trojan.

“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini encouraged.

The attack's exact number of victims is unknown, but there are an estimated 73 million devices connected to the Internet in Brazil, and the top ISPs in the country manage about 3-4 million people each. So, even if only a small percentage were successfully targeted, the overall total number of victims is likely to be frightening.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Knight Rider Back as a Renault Van

  Renault have released a video featuring the new Renault Trafic van in a remake of the...

2014 AUTOBACS GT Round 6 1000km GT500 Pictures

We have added some great pictures from the 2014 AUTOBACS GT Round 6 43rd International ...

Car Games Update August 30th

We have added a few new games to the car games section of Autosaur. First up is the Car Eats...

2015 Toyota Tundra TRD Pro Prices

Toyota have announced prices for their 2015 Tundra TRD Pro, based on the Tundra it includes ...

2015 Toyota Tundra TRD Pro Pictures

Toyota recently announced prices for the 2015 Toyota Tundra TRD Pro. We have added some...