Major DNS hijacking affecting major websites, including avira.com (Update)

Today, October 8th 2013, 12:15 CET+2, we have experienced a major disruption in our DNS service.

It appears that several websites of Avira as well as other companies have been compromised by a group called KDMS. The websites of Avira have not been hacked, the attack happened at our Internet Service Provider “Network Solutions”.

 

What happened?

The DNS records of various websites, including those of Avira, were changed to point to other domains that do not belong to Avira.

It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.

Our internal network has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again.

Our products were not affected at any point, including the update servers for product and detection updates. These servers are not registered at Network Solutions.

We can assure all our partners and customers that no data of any kind (customer data, source code, etc.) has been stolen during this incident.

No malicious code was delivered to the visitors of the website either by direct download or by drive-by downloads.

 

What are the next steps?

We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services.

At this point we are not aware of any effect to our customers.

 

 

Update:

October 8th 23:15 CET+2

The DNS settings have been restored. We will continue to restore all our services in the next hours.

 

 

Sorin Mustaca

IT Security Expert