Wednesday, February 25, 2009

Hacker Turf War

Per our demonstration on cache poisoning I found this report from the SANS Internet Storm Center particularly relevant. SANS researcher Daniel Wesemann recently found and analyzed malware that altered an infected computers hosts file - exactly what we did in class on Monday.

Wasemann noted that most malware is designed to 'blackhole' updates from anti-virus vendors and patches from operating systems. 'Blackholing' is a term used to described how a cache poisoning attack would re-route traffic to an unreachable location. blackholing anti-virus updates and operating systems patches will prevent a user from detecting an infection or from the computer automatically fixing the underlying vulnerability.

However, this particular piece of Malware that Wasemann analyzed contained "200 or so domains that are reconfigured to point to ... but, surprisingly, not domains of commercial software. Rather, it looks like a turf war is in progress between malwares, and this particular species tries to null out the connections of the competition."

The IP address is the address for your computers loopback adapter. Traffic routed to this destination will effectively disappear. Therefore, the authors of this malware sample are trying to prevent rival malware from gaining control over an infected computer. Infected computers have monetary value in the cyber criminal underworld. As a result, cyber criminals are incented to protect their property.

Discussion for class:

  • Does this type of cache poisoning attack affect confidentiality, integrity, or availability? Can it affect all three?
  • Who is responsible for addressing vulnerabilities in software and hardware? The end user? The manufacturer? The Internet Service Provider?

No comments: