QUESTION & ANSWER

Hijacked DNS servers could allow an Internet assault

By Bill Brenner, Senior News Writer 31 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

If they have enough DNS servers they could more easily launch pharming and man-in-the-middle attacks. Roger Thompson, chief technology officer, Exploit Prevention Labs

What are the most worrisome threats right now?
Roger Thompson: The single-biggest threat is really something that's far out at the moment, and that's the prospect of the bad guys owning so many DNS servers that they can control part of the Internet. The single-most dangerous thing at the moment is the overtly criminal activity based out of Russia.

When you say long-term for the DNS threat, are you talking two years or more like five?
Thompson: I'd say about two years.

Could you give an example of the damage that could result from this threat?
Thompson: If they have enough DNS servers they could more easily launch pharming and man-in-the-middle attacks. I'm not sure how many DNS servers they control now, but I think it's more than some might suggest.

One of the biggest stories this year has been the ongoing Storm malware assault. What's the most significant aspect of the threat based on your own research?
Thompson: What's happening is that the bad guys have decided they can make more money building botnets and selling them. The Storm guys had been setting up a new lure page and spam run each week to trick people into downloading the malware. They were really active and then they suddenly stopped. I looked at that and thought that this couldn't be good. They must be getting ready for something new. Then we found they were starting to use an encryption key. The best reason to do that is so only other machines using the same key would talk to each other, which means the botnet can be broken up and sold. When you have 300,000 nodes in a botnet that's virtually impossible to control.

Cyberattacks: Experts predict Storm Trojan's reign to continue: While estimates of its size and scope vary, security researchers say the Storm Trojan's grip is here to stay. Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet. Cybercriminals employ toolkits in rising numbers to steal data: The market is increasing for crimeware toolkits that help cybercriminals avoid detection and exploit flaws, according to new research from security vendor, Finjan.

So it makes sense to have smaller, more nimble botnets?
Thompson: Yes, unless you're doing click fraud. But you can still send an awful lot of spam using a smaller botnet.

Are some of these smaller botnets behind the recent pump-and-dump spam runs in which malicious .mp3 and .pdf files have been used?
Thompson: I don't associate these spam runs with Storm specifically, but there's no doubt the Storm botnet is being broken up.

If you're an IT administrator, what can you do as a countermeasure to these threats?
Thompson: You could be DDossed [hit with a distributed denial of service] and there's not much you can do about it, but you really want to make sure your machines aren't part of the problem. The very best way is to patch. But if you can't patch -- and some can't -- you need some sort of Web filtering product. Do that and you're going to be pretty safe. The other issue, though, is social engineering using the fake codec programs. If someone is tricked by social engineering, the patches won't be of any help, and so you need to educate the user so they don't become a victim.

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  Security Industry Market Trends, Predictions and Forecasts,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary