Widespread attack cripples computers with spyware

An insidious new Internet attack that hijacks a victim's Internet connection and stealthily installs a barrage of adware and spyware is targeting businesses and organizations across the U.S.

The two-pronged attack, which has been ongoing since early March, has afflicted an estimated 20,000 computers, according to Ken Dunham, director of malicious code at IDefense, a Va., Internet security company.

It starts with an assault known as DNS poisoning: Domain name system servers, which guide Internet traffic, are fooled into directing anyone heading to any .com Web site - for example, www.cnn.com or www.americanexpress.com - to a malicious Web site that the attackers control. That Web site then surreptitiously installs a wide range of adware and spyware on the victim's computer.

Companies suffer from the attack in a number of ways. First, the Internet connection for anyone using the poisoned DNS server - often the entire company in the case of smaller businesses - is completely disrupted. All Web traffic and e-mail trying to go to any .com site gets hijacked for as long as the DNS server remains compromised.

Even after the DNS server is fixed, the company has to clean the adware and spyware from any affected computers, an onerous task that can keep IT people like David Parsons, who supports about 7000 people in his help desk job at a Boston hospital, extremely busy. Parsons says his hospital was "slammed for about two days straight" by the DNS poisoning attacks starting March 29.

Dunham conservatively estimates that 3000 DNS servers at a range of U.S. companies, including at least two with more than 8000 employees, were compromised over the past month.

"It's a very sophisticated attack," Dunham says. His company sent out a high-level threat warning to its clients, which includes Fortune 500 companies and government organizations.

Dunham notes that both DNS poisoning attacks and the types of spyware and adware involved have been around for some time. But, he says, "this [attack] certainly is unprecedented in terms of the methodology and the sheer scope of adware and spyware installed."

However, Web surfers at home generally are not vulnerable to this type of attack. Most ISPs use a type of DNS server called BIND, which is not directly affected by attempts at DNS poisoning. But older BIND servers can contribute to the problem by passing the attack along to vulnerable Windows DNS servers.

How It Works

"It took us a little while to figure this one out," says Kyle Haugsness at the Internet Storm Center, who has been tracking the attacks since they first began and wrote a report about them for the ISC.

Haugsness doesn't have a total count of the different organizations that have been compromised, but he says that about 500 organizations were hit within the first six days.

Every computer has to talk to a DNS server to know how to get anywhere on the Internet, and almost every company network has its own DNS server. When a server is poisoned, it's effectively tricked into sending someone who types in a .com URL to the attacker's Web site instead.

For more PC news, visit PC World. Story copyright PC World Communications, Inc.