Websense® Security Labs(TM) ThreatSeeker(TM) Network has detected that the
DNS cache on the default DNS server used by the customers of China Netcom
(CNC) has been poisoned. When China Netcom customers mistype and enter an
invalid domain name, the poisoned DNS server directs the visitor´s browser
to a page that contains malicious code. China Netcom is among the top ISPs
in that country.
When users mistype a domain name, they are sometimes directed by their ISPs
to a placeholder Web site with generic advertisements. This is typically an
additional revenue source for the ISP. In the case of CNC, customers of this
prominent ISP are directed to a Web site under the control of an attacker.
These malicious sites contain an iframe with malicious code that attempts to
exploit, among other applications and plug-ins, the Microsoft Snapshot
Viewer vulnerability which we reported on
http://securitylabs.websense.com/content/Alerts/3106.aspx at the start o!
f the month.
A user querying an unaffected DNS server is taken through to a clean site,
whereas a user querying a poisoned name server is taken to a malicious site
under the hacker´s control. The malicious iframe points to a server in China
hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe
Flash player.
To view the details of this alert
Click here