This alert originates from The Internet Storm Center, the central
"weather service" for the worldwide Internet. This means that they
have seen it happen!

Considering the severity of this problem, I expect US-CERT to issues
high-level warnings within hours.

This is EXTREMELY serious!!

Poisoning of the Domain Name System (DNS), the backbone "phonebook"
of the worldwide Internet, is almost invisible to the Internet
clients. The only absolutely sure way to thwart this type of
redirection is to use native IP addresses in your browser to access
secure websites. There are some other methods available from the
included links.

However, I recommend extreme caution when accessing ANY secure site
via a URL that must be looked up through the DNS. BE SURE to check
the security certificate for the website before transmitting ANY
sensitive information!!

Considering the seriousness of this issue, I expect it to be resolved
within a few days. Until then, BE CAREFUL! The bad guys now have
the ability to fool most anyone into divulging sensitive information.

George


- DNS Cache Poisoning Attacks -
Oxygen3 24h-365d, by Panda Software
(http://www.pandasoftware.com)

Madrid, April 11, 2005 - "@RISK" (the SANS community's consensus
bulletin) has reported a problem in the default configuration of the
DNS servers in the DNS system in Windows NT and Windows 2000 (prior
to SP3). Other configurations are also reportedly vulnerable and
being studied.

SANS Internet Storm Center (ISC) has been actively analyzing reports
of large-scale DNS cache poisoning attacks. By carrying out this type
of attack, the attacker can redirect traffic for legitimate domains
(for example, windowsupdate.com) to an IP address controlled by the
attacker. The attacks have been used to redirect popular domains
belonging to certain financial, entertainment, travel, health and
software companies to the attackers' servers in order to install
malware on users systems.

Microsoft has published an article KB241352 that describes how to
configure a registry key on Windows 2000 (prior to SP3) and NT 4.0
(SP4 and later) to harden a DNS server's configuration. It is
recommendable to upgrade to version 9.x in order to forward DNS
servers running BIND. It is also recommendable to upgrade to Windows
2000 (SP3 or later) and Windows 2003 for Windows DNS servers, as
these versions offer protection against cache poisoning attacks in
their default configuration.

More information at
http://isc.sans.org/presentations/dnspoisoning.php and at
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

NOTE: The addresses above may not show up on your screen as single
lines. This would prevent you from using the links to access the web
pages. If this happens, just use the 'cut' and 'paste' options to
join the pieces of the URL.

Report from the Internet Weather Service,
http://isc.sans.org/presentations/dnspoisoning.php