Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

Malware Compromises Web-hosts’ DNS Servers in Netherlands

The monitoring service of Fox-IT, on August 5, 2013, spotted one redirect at first taking onto conrad.nl the Internet store for electronics goods, which's greatly visited, however, after sometime taking onto several other online sites. From the manner in which Conrad.nl was compromised, it became apparent that numerous sites were redirecting, with the Domain Name System (DNS) server's hijacked conditions affecting three web-hosts -Webstekker, VDX and Digitalus, published blog-fox-it.com, August 5, 2013.

Each of the websites utilizing the above web hosts' DNS servers were likely to have been impacted. Digitalus' observation was that somebody altered the Domain Name Registration (DNR) made available from Foundation for Internet Domain Registration in the Netherlands (SIDN), taking help of outside name servers.

Consequently, when a DNS request was set intended for them, it finally reached the malevolent Domain Name System servers. And as the DNS areas possessed some 24-hrs 'Time-to-Live' (TTL), the majority of ISPs would carry the indicated wrong data for no less than the time-span the DNS zones remained active. However, on contacting the ISPs, the problem was rectified while the external name servers currently have the properly compiled data while responding.

Experts at Fox-IT explained that whenever an online site was attempted to visit, it showed one empty web-page displaying "Under construction," while it had one iFrame that actually harbored the BlackHole attack toolkit. After Conrad.nl was presumed to be the only hijacked site, soon more website requests to the DNS web-servers returned replies with only one IP address, 178.33.22.5 for all the sites, the experts said. Softpedia.com published this, August 6, 2013.

By exploiting PDF/Java security flaws, the BlackHole thrust malware that subsequently pulled down one Tor-powered malware. Fox-IT says just 4 anti-virus engines from Virus Total's 45 could detect the first malware.

Though unclear, the ISPs think SIDN is the origin of the hack.

Still disturbingly, according to the web-hosts, it was the clients' websites that couldn't be reached. They disregarded the problem which was really 'absence of un-patched software with visitors who thus became infected.' In any case, the flaw, whatever it might be, exploited for altering the DNS must get rectified, Fox-IT advises.

» SPAMfighter News - 14-08-2013

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next