Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 29th, 2008

Insecure Online Updates Toolkit For DNS Cache Poisoning Exploited In The Wild

Security researchers from Argentina have released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms. The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice, Sun Java, DAP, Speedbit, Notepad++, Linkedin Toolbar and others. The toolkit is a modular framework that allows to exploit poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim DNS traffic.

This demo video shows how a sophisticated blended attack can be used to target millions of Windows users. In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine.

It works only when a man-in-the-middle attack has first been carried out, but thanks to the domain name system vulnerability that has dominated security coverage ever since researcher Dan Kaminsky sounded the alarm three weeks ago, that’s not much of a problem.

Recently, numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the DNS cache poisoning vulnerability. Publicly available exploits have been downloaded tens of thousands of times in the last few days.

Users should check whether their ISP is running DNS servers susceptible to cache poisoning. Recent studies show that many ISP companies in USA are vulnerable to this attack.

Share this item with others:

More on CyberInsecure:
  • Several Vendors Including Microsoft Patch Multiplatform DNS Vulnerability
  • Cache-poisoning Attack Sends Top Brazilian Bank Users To Scam Sites
  • Researchers Released DNS Attack Code That Exploits Recently Disclosed Flaw
  • New PDF Exploits Toolkit Targets Windows Users With Unpatched Adobe Reader
  • New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Insecure Online Updates Toolkit For DNS Cache Poisoning Exploited In The Wild

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.