Wasemann noted that most malware is designed to 'blackhole' updates from anti-virus vendors and patches from operating systems. 'Blackholing' is a term used to described how a cache poisoning attack would re-route traffic to an unreachable location. blackholing anti-virus updates and operating systems patches will prevent a user from detecting an infection or from the computer automatically fixing the underlying vulnerability.
However, this particular piece of Malware that Wasemann analyzed contained "200 or so domains that are reconfigured to point to 127.0.0.1 ... but, surprisingly, not domains of commercial software. Rather, it looks like a turf war is in progress between malwares, and this particular species tries to null out the connections of the competition."
The IP address 127.0.0.1 is the address for your computers loopback adapter. Traffic routed to this destination will effectively disappear. Therefore, the authors of this malware sample are trying to prevent rival malware from gaining control over an infected computer. Infected computers have monetary value in the cyber criminal underworld. As a result, cyber criminals are incented to protect their property.
Discussion for class:
- Does this type of cache poisoning attack affect confidentiality, integrity, or availability? Can it affect all three?
- Who is responsible for addressing vulnerabilities in software and hardware? The end user? The manufacturer? The Internet Service Provider?
No comments:
Post a Comment