Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

New Domain Poisoning Attacks Microsoft Servers

The DNS cache poisoning that first struck more than a month ago and led to users being redirected from popular Web sites to malicious sites that infected their machines with spyware, is continuing, said the Internet Storm Center (ISC) Wednesday. The attacks are taking advantage of vulnerabilities and design flaws in Microsoft server software.

DNS cache poisoning occurs when an attacker hacks into a domain name server, one of the machines that translate URLs such as www.techweb.com into the appropriate IP address. The attacker then "poisons" the server by planting counterfeit data in the cache of the name server. When a user requests, say, techweb.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser and the user is directed to another Web site, not the intended destination.

To highlight the danger, the ISC raised its Homeland Security-esque alert color code from Green to Yellow. According to ISC, Yellow represents that "we are currently tracking a significant new threat. The impact is either unknown expected to be minor to the infrastructure. However, local impact would be significant."

To set the DNS cache poisoning threat in perspective, Yellow is the same alert color code that ISC used during the SQL Slammer, MSBlast, and Sasser worm outbreaks, three of the nastiest in the last two years.

The newest attack, said Kyle Haugsness, one of the ISC analysts, is actually the third since March 4. Like the initial attack, the motivation is certainly money, since the result is again the installation of mass quantities of spyware on victims' PCs.

  • 1