Malware Compromises Web-hosts’ DNS Servers in Netherlands
The monitoring service of Fox-IT, on August 5, 2013, spotted one redirect at first taking onto conrad.nl the Internet store for electronics goods, which's greatly visited, however, after sometime taking onto several other online sites. From the manner in which Conrad.nl was compromised, it became apparent that numerous sites were redirecting, with the Domain Name System (DNS) server's hijacked conditions affecting three web-hosts -Webstekker, VDX and Digitalus, published blog-fox-it.com, August 5, 2013.
Each of the websites utilizing the above web hosts' DNS servers were likely to have been impacted. Digitalus' observation was that somebody altered the Domain Name Registration (DNR) made available from Foundation for Internet Domain Registration in the Netherlands (SIDN), taking help of outside name servers.
Consequently, when a DNS request was set intended for them, it finally reached the malevolent Domain Name System servers. And as the DNS areas possessed some 24-hrs 'Time-to-Live' (TTL), the majority of ISPs would carry the indicated wrong data for no less than the time-span the DNS zones remained active. However, on contacting the ISPs, the problem was rectified while the external name servers currently have the properly compiled data while responding.
Experts at Fox-IT explained that whenever an online site was attempted to visit, it showed one empty web-page displaying "Under construction," while it had one iFrame that actually harbored the BlackHole attack toolkit. After Conrad.nl was presumed to be the only hijacked site, soon more website requests to the DNS web-servers returned replies with only one IP address, 220.127.116.11 for all the sites, the experts said. Softpedia.com published this, August 6, 2013.
By exploiting PDF/Java security flaws, the BlackHole thrust malware that subsequently pulled down one Tor-powered malware. Fox-IT says just 4 anti-virus engines from Virus Total's 45 could detect the first malware.
Though unclear, the ISPs think SIDN is the origin of the hack.
Still disturbingly, according to the web-hosts, it was the clients' websites that couldn't be reached. They disregarded the problem which was really 'absence of un-patched software with visitors who thus became infected.' In any case, the flaw, whatever it might be, exploited for altering the DNS must get rectified, Fox-IT advises.
» SPAMfighter News - 14-08-2013