Security Incidents mailing list archives

RE: Global DNS Cache poisoning?

From: "Hubbard, Dan" <dhubbard () websense com>
Date: Fri, 4 Mar 2005 13:30:45 -0800

We posted this information earlier today:

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=144

From our site:


"We have investigated the sites that are reporting to direct users to
malicious websites. These sites attempt to download and install code and
an Active X piece called "ABC Search Webinstall." The name of the
executable is "mhh.exe." Websense(r) Security LabsTM is investigating
its behavior." The mhh.exe installs a toobar from BestToolbars.net.
Homepage and search engine settings are changed.

As far as proof of the poisoning, we have not witnessed any name lookups
ourselves but we have seen large increases in the number of users
visiting some of the sites listed in the SANS details. In particular:

http://www.7sir7.com/abx_search_webinstall/download.html







 

Internet Storm Center Details:

 

http://isc.sans.org//index.php 

-----Original Message-----
From: Russell Guthrie [mailto:rguthrie () humana com] 
Sent: Friday, March 04, 2005 11:26 AM
To: incidents () securityfocus com
Subject: Global DNS Cache poisoning?



SANS is reporting a potential DNS cache poisoning.  Has anyone heard or
seen anything to confirm this?

Current thread:

Global DNS Cache poisoning? Russell Guthrie (Mar 04)
- Re: Global DNS Cache poisoning? lasnews (Mar 04)
- Re: Global DNS Cache poisoning? Jay D. Dyson (Mar 04)
- <Possible follow-ups>
- RE: Global DNS Cache poisoning? Hubbard, Dan (Mar 04)