10:19 PM

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Update at 23:40 UTC

There appear to be two issues at hand. The first is the DNS cache poisoning. At this time, it appears to be affecting Symantec firewalls with DNS caching. If you recall, there was a vulnerability back in July that made these products very succeptable to DNS cache poisoning. Some victims have responded that they applied the patch, but were still affected. So this could be a different vulnerability or the patch didn’t work properly. Maybe someone at Symantec could enlighten us?

http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html

The second issue is the ABX toolbar spyware that gets loaded onto the machine when visiting the target servers. This appears to happen using an ActiveX control. Users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit with the spyware if they visit the server.

Unfortunately, information on the ABX toolbar spyware is very limited at this time and it doesn’t seem to be detected yet by the normal toolset of spyware/antivirus tools.

In the meantime, we have been working to get the IP addresses and DNS servers supporting this attack shutdown. Some of the IP addresses are already blackholed.