Storm/Peed Nameserver Update
DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.
It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.
Of course there are other, much scarier things these guys could be planning.
I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.
Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.
It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.
Of course there are other, much scarier things these guys could be planning.
I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.
Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.
Labels: fastflux, nuwar, open resolvers, peacomm, peed, Storm
posted by Nicholas at
21:26
0 Comments:
Post a Comment
<< Home