The Tech Herald

Insider arrested after DNS-poisoning attack targets Brazilian ISPs

by Steve Ragan - Nov 7 2011, 20:57

A 27-year-old employee of a medium-sized ISP in the southern part of Brazil has been arrested, after a DNS cache-poisoning attack spread across the country and pointed millions of users to a Trojan aimed at capturing banking and other credentials.

Last week, millions of Brazilians had their Internet connections hijacked, prompting them to install malicious software after visiting popular destinations such as Hotmail, Gmail, YouTube, and local portals Uol, Terra, and Globo.

Kaspersky’s Fabio Assolini reported on the attacks and noted that users were being told to install a banking Trojan, disguised as a security program called 'Google Defense'

“Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo,” he said.

“[Redirected users were asked] to download and install the so-called “Google Defence” software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there.”

As mentioned, Brazil’s Federal Police arrested an employee of a medium-sized ISP in the southern part of the country. It’s understood that, for a period of around 10 months, he used his access to alter the company's DNS cache, which, in turn, forced its customers toward a malicious server handing out the banking malware.

Kaspersky suspects that similar internal compromises are also happening across Brazil.

In related news, businesses across the country were reporting that their networking equipment, such as modems and routers, were remotely compromised and their DNS settings had been changed in order to join the attack.

Corporate users were redirected to the malicious server and told to install a Java applet, which in fact was another variant of the aforementioned banking Trojan.

“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini encouraged.

The attack's exact number of victims is unknown, but there are an estimated 73 million devices connected to the Internet in Brazil, and the top ISPs in the country manage about 3-4 million people each. So, even if only a small percentage were successfully targeted, the overall total number of victims is likely to be frightening.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...