Hackers poison Brazilian ISP DNS to infect users with banking Trojan

Security researchers from antivirus vendor Kaspersky Lab warn that cybercriminals hacked into the DNS (Domain Name System) servers of several Brazilian ISPs and used them to redirect users to websites that distributed malware.

These attacks have occurred in the last few days, but they are not new to the region, according to Kaspersky Lab experts. "We believe it's not the last time this happens in Brazil and in the future we'll see more attacks like this," said Dmitry Bestuzhev, the head of Kaspersky's global research and analysis team.

"This kind of attack may happen in any place of the world and basically take place because of vulnerabilities on the ISP side. The only thing which can be done in this case from the ISP side is to make sure that all DNS servers are really protected," he added.

The DNS is a core part of the Internet infrastructure and is used for translating domain names into IP (Internet Protocol) addresses. Every time users try to access a website in their browser, their computer queries a DNS server - usually one provided by their ISP - for the corresponding IP address.

The latest incidents involved hackers modifying the DNS records returned by ISP servers for popular websites, including Google Brazil, YouTube, Gmail, Hotmail and several large Brazilian Internet portals like Uol, Terra or Globo.

Instead of responding with the correct IPs corresponding to those domains, the hijacked DNS servers returned the address of a Web server hosting spoofed pages that distributed Java exploits and banking Trojans.

Bestuzhev declined to name the affected ISPs, citing security reasons, but said that those behind the attacks most likely exploited vulnerabilities in the DNS software used by the compromised servers.

DNSSEC, a security extension that uses digital signatures to verify the authenticity of DNS responses is a solution against some of these attacks and should be adopted by all ISPs, the Kaspersky security expert said. However, he didn't know if any of the affected servers used the technology.

There are different types of DNS poisoning attacks, and aside from software vulnerabilities, rogue server administrators are also a threat. Last week, the Brazilian Federal Police arrested the employee of a medium-sized ISP who used his access to the company's DNS servers to manually modify records for certain websites and direct users to phishing pages.

The best solution for users who want to protect themselves from such attacks is to use alternative DNS servers, like those provided by Google and other specialised organisations, Bestuzhev said.

However, it's better if users configure each of their computers individually to use the alternative DNS servers instead of defining them in their home routers. That's because there are also attacks that exploit vulnerabilities in such networking devices to replace the configured DNS servers with others controlled by hackers.