Network Associates weathers DoS attack

Crackers seek revenge for unravelling of BIND bug

Security firm Network Associates was subject to a denial of service attack last night after crackers posted a Trojan horse on security mailing list, BugTraq.

An anonymous posting to the full-disclosure security mailing list, which has 85 000 readers, that appeared to be an exploit of recently discovered vulnerability in BIND name server program, was in fact cleverly disguised malicious code that attacked Network Associates' web site, Nai.com.

Anyone who compiled and ran the code, which security experts estimate might have been as many as 20 000 of BugTraq's readers, became unwitting participants in an attack against Nai.com.

Douglas Hurd, European business development manager for security products at Network Associates, said the attack affected the availability of Nai.com for 90 minutes.

"This was a denial of service type attack - with no penetration of our corporate network. Basically we got blasted with a lot of traffic - which was all noise," said Hurd, who said the effect would have been much worse if the firm did not already have both perimeter defences and intrusion detection software in place.

Unsurprisingly Hurd takes an extremely negative view of the posting of the Trojan, but he is not particularly harsh in his criticism of BugTraq.

"I accept there has to be openness in Internet communities like BugTraq but they have to be made more secure, so that they can't be used against firms. This isn't easy to do because you can't take a totalitarian approach to security."

Chris McNab, a network security analysts at MIS Corporate Defence, said that since BugTraq is a moderated security list the malicious posting, which he said contained fairly sophisticated code, should nonetheless have been detected earlier.

Network Associates issued a security advisory about the BIND vulnerability earlier this week, and McNab said the mode of attack used by the Trojan, sending packets to Network Associates DNS servers, suggests a possible revenge motive for the attack.

"Network Associates web site was intermittently up and down last night," said McNab, "NAI's Covert Labs discovered the BIND problem and this could be an attempt to kick NAI in the shins. This was quiet sophisticated coding and not the work of script kiddies, we're dealing with elite crackers here."

The posting of the malicious code to BugTraq was made from made from nobody@replay.com, an email address of an anonymous posting service. A hunt is on to discover who was responsible for the attack, by Network Associate's Hurd did not express any particular confidence that the attacker would be brought to book. ®

External links

Vulnerabilities in BIND 4 and 8

Related Stories

BIND holes mean big trouble on the Net
Microsoft crippled by S'Kiddies
Microsoft confirms Web site blackout
DNS trouble made Microsoft, Yahoo! unavailable

Sponsored: 10 ways wire data helps conquer IT complexity