By Erik Larkin
PC World, 04/22/05
An insidious new Internet attack that hijacks a victim's Internet connection and stealthily installs a barrage of adware and spyware is targeting businesses and organizations across the U.S.
The two-pronged attack, which has been ongoing since early March, has afflicted an estimated 20,000 computers, according to Ken Dunham, director of malicious code at IDefense, a Va., Internet security company.
It starts with an assault known as DNS poisoning: Domain name system servers, which guide Internet traffic, are fooled into directing anyone heading to any .com Web site - for example, www.cnn.com or www.americanexpress.com - to a malicious Web site that the attackers control. That Web site then surreptitiously installs a wide range of adware and spyware on the victim's computer.
Companies suffer from the attack in a number of ways. First, the Internet connection for anyone using the poisoned DNS server - often the entire company in the case of smaller businesses - is completely disrupted. All Web traffic and e-mail trying to go to any .com site gets hijacked for as long as the DNS server remains compromised.
Even after the DNS server is fixed, the company has to clean the adware and spyware from any affected computers, an onerous task that can keep IT people like David Parsons, who supports about 7000 people in his help desk job at a Boston hospital, extremely busy. Parsons says his hospital was "slammed for about two days straight" by the DNS poisoning attacks starting March 29.
Dunham conservatively estimates that 3000 DNS servers at a range of U.S. companies, including at least two with more than 8000 employees, were compromised over the past month.
"It's a very sophisticated attack," Dunham says. His company sent out a high-level threat warning to its clients, which includes Fortune 500 companies and government organizations.
Dunham notes that both DNS poisoning attacks and the types of spyware and adware involved have been around for some time. But, he says, "this [attack] certainly is unprecedented in terms of the methodology and the sheer scope of adware and spyware installed."
However, Web surfers at home generally are not vulnerable to this type of attack. Most ISPs use a type of DNS server called BIND, which is not directly affected by attempts at DNS poisoning. But older BIND servers can contribute to the problem by passing the attack along to vulnerable Windows DNS servers.
How It Works
"It took us a little while to figure this one out," says Kyle Haugsness at the Internet Storm Center, who has been tracking the attacks since they first began and wrote a report about them for the ISC.
Haugsness doesn't have a total count of the different organizations that have been compromised, but he says that about 500 organizations were hit within the first six days.
Every computer has to talk to a DNS server to know how to get anywhere on the Internet, and almost every company network has its own DNS server. When a server is poisoned, it's effectively tricked into sending someone who types in a .com URL to the attacker's Web site instead.
That Web site checks to see if the victim is using Internet Explorer, and if so, it tries to install a huge amount of adware and spyware. Its attempts work if you haven't kept your copy of IE updated. Dunham says the software installed includes known Trojan horses like Krepper, and adware such as 180solutions and Coolwebsearch--about 18MB of unwanted software in all.
The apps can pop up advertisements on your system and change your IE settings. They can also send user information, such as keywords from searches, to the apps' designers.
"All the installation is done silently, in the background, with no user interaction," says Dunham.
Whether or not the malicious Web site succeeds in installing any spyware or adware, the victim ends up at two Web sites in separate windows that look like search engines and have a multitude of links to advertisers. Until the DNS server is fixed, any attempt to go to any .com Web site ends up right back at those two sites.
According to Haugsness's report, the DNS cache poisoning affects some Windows NT 4 and Windows 2000 DNS servers, and Symantec firewalls that use DNS. Both Microsoft and Symantec have released patches for the vulnerable products.
What You Can Do
The bad news is that there's not much you can do personally to guard your work computer from being affected by DNS poisoning. You have no good way to avoid using DNS or to protect yourself if your company's DNS servers have been hit. Your IT department must make sure your DNS servers are not vulnerable.
But you can protect yourself against the malicious software installs by making sure your version of Internet Explorer is up-to-date with all current patches. Other browsers, such as Firefox, are not vulnerable to such installs.
If you've already been hit with spyware and adware by this attack or some other method, consult Steve Bass's helpful advice for cleaning your computer.
What's Behind It
Joe Stewart, a senior threat researcher at LURHQ, a South Carolina Internet security company that independently studied these attacks, analyzed the Web site redirection involved and the links in the two apparent Web search pages that resulted. Stewart found that clicking on one of the advertiser links in either of the sites sends information to Findwhat.com, an Internet marketing company that counts pay-per-click advertising as a big part of its business. The information sent includes one of two account numbers. That sent number notifies Findwhat to transfer payment to that particular account.
So, according to Stewart, the attack is all about money. The adware and spyware generates revenue in much the same way as pay-per-click links do with a variety of different companies, he says. Once you click on an advertisement in a pop-up, someone else gets paid.
According to Findwhat spokesperson Michelle Craft, her company started a comprehensive inquiry when it was notified about LURHQ's report. Findwhat discovered that those behind the DNS poisoning attacks were affiliates of two Findwhat account holders.
"Both of the traffic sources mentioned in the LURHQ report were immediately terminated by the applicable [account holders] and are no longer able to access Findwhat.com's advertisers," Craft says. Advertisers who paid as a result of victims' clicks have gotten their money back, she adds.
Craft declines to provide any further information on the Findwhat account holders, and says Findwhat doesn't have any more information on the attackers.
The Global Internet
But there may be other clues as to who's behind the attacks. The malicious spyware installs come from an Internet site whose name includes the word vparivalka. Important note: Do not try to point your browser to the 'vparivalka' site, as it may try to install a large amount of difficult-to-remove adware and spyware on your PC.
According to Irine Sakk, a native Russian speaker in Northwestern University's Department of Linguistics, vparivalka is a Russian slang word with connotations of fraud and cheating. Depending on context, she says, it can mean giving someone something they didn't want, when they were expecting something else.
The ISP responsible for the current IP address used by vparivalka.org is based in the Ukraine and does not list any contact information on its Web site, which says it is "under construction."
Internet Pain
Although LURHQ's Stewart has worked with FBI agents investigating other attacks in the past, he doesn't know of any investigations into these attacks, and doesn't expect to see one.
"We have a hard enough time getting law enforcement to pay attention" to seriously destructive viruses, he says.
But attacks like these are "really becoming more of a problem for the end user than, say, viruses or phishing or the other things getting the headlines," he says. By throwing up unwanted pop-ups, hijacking Web connections, and slowing computers to a crawl, they are "making the experience of using the Internet painful."
http://www.nwfusion.com/news/2005/0422widesattac.html