According to the SANS Internet Storm Center, the company first received reports of so-called DNS cache poisoning attacks on March 3 and has been monitoring the problem since then.
DNS cache poisoning works by injecting false information into the DNS caches of compromised servers, effectively causing them to reroute traffic away from legitimate sites toward false ones. In the case of this attack, compromised servers were pointed to an incorrect address for the root entries for the entire .com domain, allowing the hijackers to reroute traffic to any server with a .com address.
However, according to Kyle Haugsness, incident handler at SANS, rather than simply exploiting a single method to temporarily compromise certain DNS servers, those responsible for the attack used multiple methods including DNS poisoning, bugs in products from both Microsoft Corp. and Symantec Corp., and spyware to maintain the attack over the course of the month.
"After monitoring the situation for several weeks now, it has become apparent that the attackers are changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This attack morphed into a similar attack with different IP addresses that users were re-directed towards," Haugsness said in a statement.
Although the identity of the hijackers is as-yet unknown, according to Haugsness, one of the attacks "seems to have been launched by a known spammer," and the end goal of the entire attack appears to have been to install as much spyware and adware on affected machines as possible.
The domains that the attack redirected to were, it appears, purchased just before the attacks began, and more than 1,300 domain names were hijacked, including some of those belonging to American Express, H&R Block, Fedex, Wal-Mart and CNN. Although none of these sites themselves were actually compromised, affected users attempting to access them were redirected to the hijackers sites.
SANS has declined to release the names of any of the companies whose DNS servers were compromised. However, according to Haugsness, "I would conservatively estimate that 500 to 1,000 medium-to-large organizations were affected by these attacks." Most of the victims were in North or South America.
SANS has advised system administrators to block IP traffic to the addresses involved in the attack. Users should also check that the configuration of their DNS server if it uses Windows NT 4 or Windows 2000, as the default configuration of both these products is not immune to DNS cache poisoning attacks. Several Symantec products, including some versions of Symantec Enterprise Firewall and Symantec Gateway Security, are also vulnerable and may require patching.