July 30th, 2008

HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Posted by Dancho Danchev @ 8:08 am

Categories: Black Hat, Exploit code, Hackers, Metasploit

Tags: Google Inc., DNS, DNS Server, AT&T Corp., Server, Domain Names, Networking, Internet, Dancho Danchev

A week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore’s company BreakingPoint has suffered a traffic redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :

“It happened on Tuesday morning, when Moore’s company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company. When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.”

Moreover, last month, before the latest DNS cache poisoning vulnerability and exploits started taking place,  Metasploit Project’s site was temporarily hijacked through ARP poisoning, perfectly demonstrating that old-fashioned DNS attacks remain intact.

UPDATE: HD Moore’s explanation of the situation, and the impact of the attack that took place :

“Most of the facts of the article are correct. I have no problem detailing the attack, how it worked, and how we detected and resolved it. I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for. Stating that my company was “compromised” leads the reader to believe that there was some sort of security breach, which is reinforced by the fabricated quote.”