DNS Cache Poisoning is the practice of corrupting an Internet server's domain name system table by replacing an Internet address with that of a rogue address. When a user searches for a page with a particular address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, Spyware, Web browser hijacking program, or other Malware can be downloaded to the user's computer from the rogue location. The domain name system (DNS) stores and associates information with domain names, but most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers that acept e-mail for each domain. DNS Cache Poisoning is a malicious Spyware technique that spoofs a DNS server into believing it has received legitimate information when in fact, it has received information from an unauthorized third party, a hacker. Normally, a user is connected to a DNS server provided by that user's Internet Service Provider, or ISP. This DNS server generally serves the ISP's own customers only and contains a small amount of DNS information cached by previous users of the server. A cache poisoning attack on a single ISP DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable. DNS Cache Poisoning can be used to replace pre-determined content with content of an attacker's choosing. For example, an attacker poisons the IP address DNS entries for a specific Web site on a DNS server, replacing them with the IP address of a server controlled by the hacker. He then creates counterfeit entries for files on the server he controls with names matching those on the target server. These files could contain Malware, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the legitimate target server and unknowingly download Malware. |