Insecure Online Updates Toolkit For DNS Cache Poisoning Exploited In The Wild
Security researchers from Argentina have released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms. The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.
The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice, Sun Java, DAP, Speedbit, Notepad++, Linkedin Toolbar and others. The toolkit is a modular framework that allows to exploit poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim DNS traffic.
This demo video shows how a sophisticated blended attack can be used to target millions of Windows users. In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine.
It works only when a man-in-the-middle attack has first been carried out, but thanks to the domain name system vulnerability that has dominated security coverage ever since researcher Dan Kaminsky sounded the alarm three weeks ago, that’s not much of a problem.
Recently, numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the DNS cache poisoning vulnerability. Publicly available exploits have been downloaded tens of thousands of times in the last few days.
Users should check whether their ISP is running DNS servers susceptible to cache poisoning. Recent studies show that many ISP companies in USA are vulnerable to this attack.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.