Brazilian ISPs Hit With Massive DNS Attack

wiredmikey writes "Millions of people in Brazil have potentially been exposed to malware, as a result of a nationwide DNS attack. Additionally, several organizations in Brazil are reporting that network devices are also under attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic. In those cases, when employees of the affected companies tried to open any website, they were asked to execute a malicious Java applet, which would install malware presented as 'Google Defence' software."

After all...

[inexia]

You're just another BRIC in the wall.

Re:

[nazsco]

The only clever joke here and no score...

also, or that was a inside job because of a cyber crime bill to be voted there soon, or china decided to take easier targets.

Creating a massive botnet?

[randomErr]

Sounds like someone is creating a massive botnet for something much bigger or just putting out a warning message. They question is what?

Re:

[RandomFactor]

What is doubtless money, and someone is in jail already.

Insider jobs at ISPs have always had a lot of potential reach and this demonstrates that.

Re:

[ackthpt]

Sounds like someone is creating a massive botnet for something much bigger or just putting out a warning message. They question is what?

Perhaps they want to try to create bots to replace the large number they have been losing of late. e.g. [slashdot.org]

Re:

[Smallpond]

My mail server blocks many .br addresses due to the constant spam, but br is no worse than .ar, .cn, or .pl. Maybe someone is sending a message. Though I can't imagine anybody getting that worked up over email spam these days; maybe 10 years ago.

Re:

[Zontar The Mindless]

Shhhhhh! Talar man om trollen, så står de i farstun!

Re:

[Smallpond]

Nothing Just the Polish ISP tpnet.pl generates massive spam.

Re:

[Anachragnome]

"Sounds like someone is creating a massive botnet for something much bigger or just putting out a warning message. They question is what?"

This quote from the first of the linked articles might provide a possible answer...

"We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS)...."

Google using their own name in the Trojan would, in my mind, be a masterful example of misdirection--nobody would

The modern world sucks.

[orphiuchus]

Computers may be twice as fast as they were in 1973, but I would kill to go back and live in a time where you had to actually break into my house to steal from me.

Re:

[ackthpt]

Before banks?

Before governments?

Re:

[Tsingi]

Before banks?

Before governments?

Before corporations?

Re:The modern world sucks.

[Lennie]

I've noticed a pattern.

Usually I like companies better if they are not publicly traded at the stock market.

Publicly trading companies always seem to much focused on the short term.

Re:

[lgw]

Yes, those evil corporations. They offer me products I want at prices I am willing to pay and that's just the same as stealing. It's totally evil.

Re:

[lister king of smeg]

i would mod you up if i had the points

Re:

[Dionysus]

Don't you know, stuff I want wants to be free!!

Re:

[imric]

That can't be! Corporations are guided by a magic invisible hand so that everything they do is beneficent! And if one does something that has negative effects by accident, the magic invisible hand gently guides them back onto the track of truth! Have a little Faith, man! Any human tragedy that happens while the magic invisible hand does it's work is surely an acceptable loss that only does good to all of us in the long run!

VonMises, Cato and CEI forever, A-men.

Now bend over for your blessings from the K

Re:

[rubycodez]

Fraud and forgery are very old problems, don't need a computer for them.

Twice as fast? The 0.3 MIPS 8080 vs. a thousands or tens of thousands of MIPS per core processor of today is a much bigger jump. Or we could talk about retrieval speed of 9 track (125 kbytes / sec) vs. Ultrium LTO-5 ( 140 mbytes / second)

Re:

[rubycodez]

I can't believe you wasted your life typing that. bored?

Re:

[orphiuchus]

Doesn't "twice as fast in 1973" seem awfully specific to any of you *woosh* victims?

Re:

[Hentes]

If you left your door wide open you would have been robbed even back then.

Re:

[Anonymous Coward]

Still the case. Or did the files suddenly disappear from your box?
Information is not a physical object, and hence can not be owned, stolen or sold. Sorry if the media Mafia bullshitted you into believing them. :-/
If you start to think about information in the right way, you will realize that it's about who you pass information on to and how much you trust them.

In this case, somebody trusted those routers way too much, as this wasn't exactly expected.

But if you only give access to or copy your data to people

Re:

[LordWabbit2]

Fvck that, downloading pron at 28.8k sucked.

Re:

[Ramin_HAL9001]

You can do that without killing anyone right this minute. Just unplug your computer from the Internet, and from now on just buy all of your software on CD's or on memory sticks from people who can afford security. Rent videos from the video store instead of watching YouTube. Go to the public library to use e-mail. And never ever use a credit card. Always pay with cash, always withdrawn from the bank by a human bank teller, not an ATM.

Then, you can use can use your computer and any other non-internet connec

Well I guess...

[Anonymous Coward]

someone was not happy with the Conrad Murray verdict!

Re:

[UnknowingFool]

Or the horrifying possibility that Justin Bieber might have fathered a child.

Re:

[ackthpt]

I'm in Sao Paulo, Brazil's largest city, and didn't see any problem. Nor did I see anything reported in local media.

Keep in mind, a DNS attack could be re-routing all your traffic through a server where it's being screened for goodies - best to be paranoid in these instances than assume it's not happening to you.

Re:

[icebraining]

Not HTTPS traffic, though, at least not unless they've had access to a CA cert too.

Re:

[marcosdumay]

At Brasilia (not a small city, but smaller) I've seen nothing either. The first time I've heard about the attack is here.

Re:

[hrimhari]

Here. [cadaminuto.com.br]

Looks pretty fresh, so that would explain the lack of coverage. Also, the DNS cache poisoning don't seem to be confirmed yet, only the home router cracking. And the guy who went to jail for being paid to change DNS settings is from a small (?) country town, so the reach of this damage might be negligible country-wise.

Holy shit that's massive!

[Bogtha]

How many is a brazilian?

Re:

[TWX]

A Brazilian is how many people got attacked, silly!

You just don't know your SI units because you're probably American. They're well versed in them in South America...

Re:

[aussie.virologist]

How many is a brazilian?

Apparently you remove all the 111111111111111111111's and you are left with lots of Oh's

Re:

[rubycodez]

were their dark fibers rooted?

Bad Sportsmanship

[Bitsy Boffin]

A ruthless minority of people seems to have forgotten good old fashioned virtue.

If these people would just play the game, they'd get a lot more out of life.

Ministry of Information, Deputy Minister, Eugene Helman

Brazilian DNS attack may be political manoeuver

[Anonymous Coward]

A sweeping bill on cybercrime is due to be voted this week in the Brazilian Congress. The bill caters to banks and other big service providers, but is opposed by most other informed citizens, including the Brazilian Internet managers. The bill has been floored several times in the past few years, but every time was retracted due to fierce opposition. Last time that bill was up for voting there was a wave of hacker attacks to government and politicians' sites a few days before the expected voting date. Those attacks were widely believed to be an attempt by supporters to sway the vote of congressmen in favor of the bill. This attack is more serious but its timing strongly indicates that it has the same motivation.

Re:

[lvxferre]

The ISPs were GVT and Oi (source [tecnoblog.net]).
Actually, for me, this is kinda funny - I use Oi, but I only saw about this DNS poisoning here in Slashdot... no changes, no malware warning, nothing.

Another info

[lvxferre]

Oi's DNS default poisoning (an unwanted "custom search" instead of 404 error page) is sadly working as usual.

that awkward moment

[hagnat]

when you get news about your own country first in an international news site

Re:

[lvxferre]

When you know that Slashdot has better news for geeks than Terra and UOL.

Re:

[nazsco]

nationwide DNS attack is news for 'geeks'?!?

brazil is the country with most widespread internet banking. Here in the US credit cards doesn't even have a chip! and most bills came with a pre-addressed envelope for you to send a ... gasp... check!

Re:

[d4fseeker]

So you prefer the good old-fashioned swipe with signature which you could easily -in theory- claim to be faked?
Well I guess you'd prefer to pay with your mobile phone... full of potential spy- or adware...

Re:

[metrix007]

read up on chip and pin. It has shown to be insecure time and time again. It is just a way for the banks to shift liability.

Re:

[SeaFox]

In your defense, maybe you couldn't reach any local news outlets online because of a DNS problem.

Re:

[lvxferre]

The attacks are being directed at the routers, not the ISPs.
Most Brazilian ISPs use a "borrow my router" (we call it comodato) system, where the client uses ISP's router instead of his own.
The thing is... these routers are configured with a default password and most users don't know/want to change it.
So, no, no peace in MMOs... and as a side note, even being Brazilian, I must agree with you: Brazilian MMO players are fcking annoying, worse if you do know Portuguese.

1997 is calling they want their exploit back ..

[microphage]

A history of DNS Violence [umich.edu]

Massive misinformation

[Altieres Rohr]

I'm the Brazilian journalist who first reported on this issue [globo.com].

These attacks are not massive. They are happening in a server each time, and the ISPs use many different servers. As such, the number of affected victims each time is small. However, it is true they are ongoing. ISPs and users need to take action now and protect their DNSs and home routers, respectively, though ISPs are also to blame because they use the same password for the default configuration on every router. Plus, user complaints can be fou