Hackers are now actively exploiting a critical flaw in the Domain Name System, but they're not using any of the already known exploits, said a researcher who crafted the first attack code to go public.

"We're seeing an entirely new technique," said HD Moore, the creator of the Metasploit penetration testing framework, who with a hacker identified as "I)ruid," published exploits last week for the vulnerability in the Internet's routing system.

Late yesterday, Moore reported that he had found a compromised DNS server operated by AT&T Inc. when employees at his company, BreakingPoint Systems, realized that they were being shunted to a bogus version of google.com. Since then, he said today, he's heard from others who also reported redirects from hacked DNS servers. "They're saying 'we've seen the same thing,' so now we're trying to figure out if we're seeing attacks on a wide scale or not."

Moore said the exploit that successfully attacked the AT&T server was not the same as the Metasploit attack code that he and I)ruid wrote, nor were any of the other public exploits. "It didn't have the signature of any of the public exploits," Moore said. "For example, the Metasploit code will either add an un-cached'A' record or replace all'NS' records with a malicious server. In this case, it seems like the attack replaced the address of the CNAME entry for www.1.google.com, which is something I have not seen before."

Moore said he and others were trying to figure out where the exploit originated. "We're curious. It's not based on our code, so is there some kind of phishing kit out there that includes it?"

The compromised AT&T server was taken offline yesterday, Moore said, after he contacted BreakingPoint's ISP.

"The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact," Moore said in a long post to the Metasploit blog Tuesday night. The attack, which seemed designed to generate ad revenue by steering users to the fake Google page -- which had ads hidden inside several IFRAMES -- was, said Moore, "a five minute annoyance" and little more.

To add to the problem of in-the-wild exploits, Moore said he suspects that far fewer systems have been patched than most reports have indicated. Saying that this was where he differed from Dan Kaminsky, the researcher who uncovered the flaw in February and helped coordinate a multi-vendor patch effort earlier this month, Moore said test results he had seen showed that approximately 75% of DNS servers have not been patched.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.