Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Spreads Malware

Posted by timothy on from the cold-hard-cache dept.

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

5 of 314 comments (clear)

  1. Re:colored alerts by delta_avi_delta · · Score: 4, Interesting

    You know the British secret service use color coded bikini's for terror alert levels. Black-Special Bikini has got to be the coolest alert level around :)

  2. Re:April Fools Idea by dAzED1 · · Score: 3, Interesting

    the mod adjectives have needed to be changed for years. What do you do when someone isn't flamebait or trolling, they simply don't know what they're talking about? Mod them "overrated?" But what if they're only a 1 or 2? There are other problems. I generally have a pretty damn hard time modding most posts. I don't know how I spent as many points as I used to have.

  3. Re:April Fools Idea by afd8856 · · Score: 3, Interesting

    I also had your problem. I've decided to give up on moderation and read slashdot at -1
    There are a lot of interesting things to be said at that level, too :)

    --
    I'll do the stupid thing first and then you shy people follow...
  4. SANS vs. the rest of the security community. by tsu+doh+nimh · · Score: 5, Interesting
    Washingtonpost.com is running an interesting story about how SANS is really the only major player in the security community that is making any noise about this.

    ...(snip..)

    ...."But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks.

    Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."

    Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."

    All of this may seem like an academic debate to those who claim to have been victimized by these attacks.

    On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.

    "I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.

    John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.

    In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.

    Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)

    "People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."

    --
    ...because you never know who you're dealing with.
  5. Study shows it could be much worse... by Timothy1965 · · Score: 3, Interesting
    A group of researchers at Cornell looked at the DNS poisoning problem (article here) and found that
    • many names were vulnerable to DNS poisoning because they depended on lots of nameservers. Some names in some country-code TLDs, like the Ukraine, were depending on 600+ nameservers.
    • some key nameservers controlled a large portion of the namespace. Compromise one of those nameservers, and you can hijack a lot of domains.
    • some crucial names were not protected well. For instance, fbi.gov could be hijacked!


    Easy way to get on the FBI's most wanted list. You try to hijack fbi.gov, and you'll end up on the most wanted list even if you fail.