China Netcom DNS cache poisoning
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.
These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.
The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:
Unaffected name server:
Poisoned DNS server:
A user querying an unaffected DNS server is taken through to a clean site:
A user querying a poisoned name server is taken to a malicious site under the attacker's control:
The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.
Websense Messaging and Websense Web Security customers are protected against this attack.