| QUESTION & ANSWER |
Hijacked DNS servers could allow an Internet assault |
 |
By Bill Brenner, Senior News Writer
31 Oct 2007 | SearchSecurity.com |
|
|
Roger Thompson, chief technology officer of New Kingstown, Penn.-based Exploit Prevention Labs, has had a long career in the security business. In 1987, he co-founded the first Australian antivirus company, Leprechaun Software, and launched Virus Buster. After moving to the United States, he started Thompson Network Software, which developed The Doctor range of products, and for a time he was director of malicious content research at CA. At Exploit Prevention Labs he has most recently been tracking the Storm malware threat, as well as the prospect that attackers could someday control a piece of the Internet by hijacking enough DNS servers. In this Q&A he discusses the threats he is most concerned about and what IT professionals can do to protect their networks.
|
|
|
|
|
If they have enough DNS servers they could more easily launch pharming and man-in-the-middle attacks.
Roger Thompson,
chief technology officer, Exploit Prevention Labs
|
|
|
|
|
|
|
|
|
|
What are the most worrisome threats right now?
Roger Thompson: The single-biggest threat is really something that's far out at the moment, and that's the prospect of the bad guys owning so many DNS servers that they can control part of the Internet. The single-most dangerous thing at the moment is the overtly criminal activity based out of Russia.
When you say long-term for the DNS threat, are you talking two years or more like five?
Thompson: I'd say about two years.
Could you give an example of the damage that could result from this threat?
Thompson: If they have enough DNS servers they could more easily launch pharming and man-in-the-middle attacks. I'm not sure how many DNS servers they control now, but I think it's more than some might suggest.
One of the biggest stories this year has been the ongoing Storm malware assault. What's the most significant aspect of the threat based on your own research?
Thompson: What's happening is that the bad guys have decided they can make more money building botnets and selling them. The Storm guys had been setting up a new lure page and spam run each week to trick people into downloading the malware. They were really active and then they suddenly stopped. I looked at that and thought that this couldn't be good. They must be getting ready for something new. Then we found they were starting to use an encryption key. The best reason to do that is so only other machines using the same key would talk to each other, which means the botnet can be broken up and sold. When you have 300,000 nodes in a botnet that's virtually impossible to control.
So it makes sense to have smaller, more nimble botnets?
Thompson: Yes, unless you're doing click fraud. But you can still send an awful lot of spam using a smaller botnet.
Are some of these smaller botnets behind the recent pump-and-dump spam runs in which malicious .mp3 and .pdf files have been used?
Thompson: I don't associate these spam runs with Storm specifically, but there's no doubt the Storm botnet is being broken up.
If you're an IT administrator, what can you do as a countermeasure to these threats?
Thompson: You could be DDossed [hit with a distributed denial of service] and there's not much you can do about it, but you really want to make sure your machines aren't part of the problem. The very best way is to patch. But if you can't patch -- and some can't -- you need some sort of Web filtering product. Do that and you're going to be pretty safe. The other issue, though, is social engineering using the fake codec programs. If someone is tricked by social engineering, the patches won't be of any help, and so you need to educate the user so they don't become a victim.
|
|
|
|
