WASHINGTON, D.C.-- An insidious new Internet attack that hijacks a
victim's Internet connection and stealthily installs a barrage of
adware and spyware is targeting businesses and organizations across
the United States.
The two-pronged attack, which has been ongoing since early March, has
afflicted an estimated 20,000 computers, according to Ken Dunham,
director of malicious code at IDefense, a Virginia-based Internet
It starts with an assault known as DNS poisoning: Domain name system
servers, which guide Internet traffic, are fooled into directing
anyone heading to any.com Web site -- for example, www.cnn.com or
www.americanexpress.com -- to a malicious Web site that the attackers
control. That Web site then surreptitiously installs a wide range of
adware and spyware on the victim's computer.
Companies suffer from the attack in a number of ways. First, the
Internet connection for anyone using the poisoned DNS server -- often
the entire company in the case of smaller businesses -- is completely
disrupted. All Web traffic and e-mail trying to go to any.com site
gets hijacked for as long as the DNS server remains compromised.
"Even after the DNS server is fixed, the company has to clean the
adware and spyware from any affected computers, an onerous task that
can keep IT people like David Parsons, who supports about 7000 people
in his help-desk job at a Boston hospital, extremely busy. Parsons
says his hospital was "slammed for about two days straight" by the DNS
poisoning attacks starting March 29. Physician and patient records
were affected, as were 'more trivial' functions.
Dunham conservatively estimates that 3000 DNS servers at a range of
U.S. companies, including at least two with more than 8000 employees,
were compromised over the past month.
"It's a very sophisticated attack," Dunham says. His company sent
out a high-level threat warning to its clients, which includes Fortune
500 companies and government organizations.
Dunham notes that both DNS poisoning attacks and the types of spyware
and adware involved have been around for some time. But, he says,
"this [attack] certainly is unprecedented in terms of the methodology
and the sheer scope of adware and spyware installed."
However, Web surfers at home generally are not vulnerable to this
type of attack. Most ISPs use a type of DNS server called BIND, which
is not directly affected by attempts at DNS poisoning. But older BIND
servers can contribute to the problem by passing the attack along to
vulnerable Windows DNS servers.
How It Works
"It took us a little while to figure this one out," says Kyle
Haugsness at the Internet Storm Center, who has been tracking the
attacks since they first began and wrote a report about them for the
Haugsness doesn't have a total count of the different organizations
that have been compromised, but he says that about 500 organizations
were hit within the first six days, including a few small not for
Every computer has to talk to a DNS server to know how to get anywhere
on the Internet, and almost every company network has its own DNS
server. When a server is poisoned, it's effectively tricked into
sending someone who types in a.com URL to the attacker's Web site
That Web site checks to see if the victim is using Internet Explorer,
and if so, it tries to install a huge amount of adware and
spyware. Its attempts work if you haven't kept your copy of IE
updated. Dunham says the software installed includes known Trojan
horses like Krepper, and adware such as 180solutions and Coolwebsearch
-- about 18MB of unwanted software in all.
The apps can pop up advertisements on your system and change your IE
settings. They can also send user information, such as keywords from
searches, to the apps' designers.
"All the installation is done silently, in the background, with no
user interaction," says Dunham.
Whether or not the malicious Web site succeeds in installing any
spyware or adware, the victim ends up at two Web sites in separate
windows that look like search engines and have a multitude of links to
advertisers. Until the DNS server is fixed, any attempt to go to
any.com Web site ends up right back at those two sites.
According to Haugsness's report, the DNS cache poisoning affects some
Windows NT 4 and DNS servers, and Symantec firewalls that use
DNS. Both have released patches for the vulnerable products.
What You Can Do
The bad news is that there's not much you can do personally to guard
your work computer from being affected by DNS poisoning. You have no
good way to avoid using DNS or to protect yourself if your company's
DNS servers have been hit. Your IT department must make sure your DNS
servers are not vulnerable.
But you can protect yourself against the malicious software installs
by making sure your version of Internet Explorer is up-to-date with
all current patches. Other browsers, such as Firefox are not
vulnerable to such installs.
If you've already been hit with spyware and adware by this attack or
some other method, consult Steve Bass's helpful advice for cleaning
What's Behind It
Joe Stewart, a senior threat researcher at LURHQ, a South
Carolina-based Internet security company that independently studied
these attacks, the Web site redirection involved and the links in the
two apparent Web search pages that resulted. Stewart found that
clicking on one of the advertiser links in either of the sites sends
information to Findwhat.com, an Internet marketing company that counts
pay-per-click advertising as a big part of its business. The
information sent includes one of two account numbers. That sent number
notifies Findwhat to transfer payment to that particular account.
So, according to Stewart, the attack is all about money. The adware
and spyware generates revenue in much the same way as pay-per-click
links do with a variety of different companies, he says. Once you
click on an advertisement in a pop-up, someone else gets paid.
According to Findwhat spokesperson Michelle Craft, her company started
a comprehensive inquiry when it was notified about LURHQ's
report. Findwhat discovered that those behind the DNS poisoning
attacks were affiliates of two Findwhat account holders.
"Both of the traffic sources mentioned in the LURHQ report were
immediately terminated by the applicable [account holders] and are no
longer able to access Findwhat.com's advertisers," Craft
says. Advertisers who paid as a result of victims' clicks have gotten
their money back, she adds.
Craft declines to provide any further information on the Findwhat
account holders, and says Findwhat doesn't have any more information
on the attackers.
The Global Internet
But there may be other clues as to who's behind the attacks. The
malicious spyware installs come from an Internet site whose name
includes the word _vparivalka_. Important note: Do not try to point
your browser to the 'vparivalka' site, as it may try to install a
large amount of difficult-to-remove adware and spyware on your PC.
It is recommended that _all users_ -- both big and small -- block
out 'vparivalka' to prevent their computers from going to it.
According to Irine Sakk, a native Russian speaker in Northwestern
University's Department of Linguistics, _vparivalka_ is a Russian
slang word with connotations of fraud and cheating. Depending on
context, she says, it can mean giving someone something they didn't
want, when they were expecting something else.
The ISP responsible for the current IP address used by vparivalka.org
is based in the Ukraine and does not list any contact information on
its Web site, which says it is "under construction."
Although LURHQ's Stewart has worked with FBI agents investigating
other attacks in the past, he doesn't know of any investigations into
these attacks, and doesn't expect to see one.
"We have a hard enough time getting law enforcement to pay attention"
to seriously destructive viruses, he says.
But attacks like these are "really becoming more of a problem for the
end user than, say, viruses or phishing or the other things getting
the headlines," he says. By throwing up unwanted pop-ups, hijacking
Web connections, and slowing computers to a crawl, they are "making
the experience of using the Internet painful, and causing the Internet
to be almost useless to a large number of users."
Copyright 2005 by PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. Discuss this article and the effects of malicious
behavior and spamming on the net in our conference room 24/7 at
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, PC World Communications, Inc.
For more information go to: