Scam artists are manipulating the Internet's directory service and taking advantage of a hole in Symantec products to trick Internet users into installing adware and other programs on their computers.
Customers who use older versions of Symantec's Gateway Security Appliance and Enterprise Firewall are being hit by so-called DNS poisoning attacks which direct people looking at popular sites such as Google or eBay to malicious Web pages where unwanted programs are installed onto their PC.
According to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center (ISC), the attacks, which began at the end of last week may be one of the largest to use DNS poisoning.
Symantec issued an emergency patch for the DNS hole on Friday, but has yet to respond to requests for more information.
The Domain Name System is a global network of computers that translates requests for reader-friendly Web domains into the numeric IP addresses that machines on the Internet use to communicate.
In DNS poisoning attacks, malicious hackers take advantage of a feature that allows any DNS server that receives a request about the IP address of a Web domain to return information about the address of other Web domains.
For example, a DNS server could respond to a request for the address of www.yahoo.com with information on the address of www.google.com, or www.amazon.com, even if information on those domains was not requested. The updated addresses are stored by the requesting DNS server in a temporary listing, or cache, of Internet domains and used to respond to future requests.
In poisoning attacks, malicious hackers use a DNS server they control to send out erroneous addresses to other DNS servers. Internet users who rely on a poisoned DNS server to manage their Web surfing requests might find that entering the URL of a well-known website directs them to an unexpected or malicious Web page, Ullrich said.
Some Symantec products, such as the Enterprise Security Gateway, include a proxy that can be used as a DNS server for users on the network that the product protects. That DNS proxy is vulnerable to the DNS poisoning attack, Symantec said Friday in an article on its website.
Symantec's Enterprise Firewall Versions 7.04 and 8.0 for Windows and Solaris have the DNS poisoning flaw, as do versions 1.0 and 2.0 of the company's Gateway Security Appliance, Symantec said.
Some Web users had requests for sites such as google.com directed to attack Web pages that attempted to install the ABX toolbar, a search toolbar and spyware program that displays pop-up ads, Ullrich said.
The DNS poisoning attacks were easy to detect because websites involved in the attack do not mimic the sites that users were trying to reach, Ullrich said. However, DNS poisoning could be a potent tool for online identity thieves who could set up phishing sites identical to say Google or eBay, but secretly capture user information, he said.