Computer Crime Research Center


More attacks against DNS servers in the Internet, Panda Labs

Date: October 10, 2005
Source: Computer Crime Research Center
By: CCRC staff

As reflected in the previous PandaLabs quarterly report, diverse cyber attacks against Internet DNS servers occurred during the first quarter of this year.

These attacks displayed a technique known as DNS cache poisoning and aimed to redirect legitimate web traffic to illegal servers from which a whole host of malware, Adware and Spyware are installed.

DNS cache poisoning incidents intensified in the Internet at the beginning of the second quarter of this year. This circumstance led to the rapid intervention of the security analyst community who were enraged at the prospect of this growing threat.

Once again, the work carried out by the team at the Internet Storm Center (ISC) deserves special mention, with their analysts reminding people of the weaknesses of Windows NT and Windows 2000 servers against these types of attacks (there is a document about this problem in the Microsoft Knowledge Database).

The ISC has an excellent report which details the particulars of the numerous DNS cache poisoning incidents produced during the first six months of the year. New worm for mobile devices with double the propagation capability.

The first quarter of the year, March specifically, witnessed an unprecedented malware event: the first worm for mobile devices with short and long-range propagation capabilities ( SymOS/Comwar.A.worm). This malware specimen is capable of sending itself through Bluetooth (to nearby devices within a limited range) and also through multimedia or MMS messages (using the list of contacts from the device itself).

There was a reoccurrence at the beginning of the second quarter this year (on April 7 th ) and PandaLabs had the opportunity of detecting the second worm for mobile devices with double the propagation capability: SymOS/Cabir.J.worm.

All the details about SymOS/Cabir.J.worm can be found in the Panda Software Virus Encyclopedia.

The name chosen for this new malware specimen stems from the high degree of similarity its code has to the rest of the SymOS/Cabir.worm family members.

There is evidence to show that its author reused the code of one of the old SymOS/Cabir.worm variants, adding the modules necessary for propagation via MMS. Until then, members of the SymOS/Cabir.worm family could only be spread through Bluetooth.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo