Experts Say Business Network Attack May Be a Distraction The real intent of DNS poisoning could be to test defenses or leave a small spyware app behind, say security analysts. Erik Larkin, Medill News Service Thursday, May 05, 2005 WASHINGTON, D.C. -- The recent Internet attacks that invaded business networks and installed a barrage of adware and spyware on vulnerable computers may have been a smoke screen put up by a new generation of sophisticated hackers out to make money rather than cause trouble, security analysts say.   Only a handful of companies are still being hit by the DNS poisoning attacks that hijack companies' Internet connections, according to the Internet Storm Center. With a tie-in to pay-per-click advertising and revenue-generating adware, security experts say, the widespread assault is part of an ongoing trend. But some analysts warn that the 18MB of malware, or malicious software, the attacks pushed onto each victimized computer may have been only a diversion. That huge payload may have been meant to disguise a small "Easter egg," says Shane Coursen, senior technology consultant for Kaspersky Lab, a Moscow-based company that writes antivirus software and tracks Internet attacks. Amidst all the well-known threats like the Krepper Trojan horse and the Coolwebsearch browser hijackers, he says, the attackers could have slipped in a small new program that anti-spyware and antivirus programs don't yet catch. So an IT person might remove all the obvious programs and think a system had been disinfected, only to leave behind the one program the attackers really meant to install. That sneaky piece of software could then join a "bot" network used to distribute spam, for instance, or it could get to work collecting personal information. The Method Doesn't Fit the Motive Coursen's idea is just a hypothesis; but it's based on the idea, shared by others, that the huge install was counterproductive to the attacker's seeming goal. "It just didn't make sense to me," says Lance James, chief technical officer at Secure Science. The San Diego company works to protect financial agencies and other businesses from Internet attacks, and counts two of the top five U.S. banks as clients, he says. If you want to make money from adware, James says, it needs to stay on the computer as long as possible and trick or entice people to click on pop-up ads or use a different search engine. Same for spyware--if you want to steal data from someone's computer, the program needs to remain on the PC long enough to track Web travels or intercept passwords. But installing 18MB of such programs all at once almost guarantees that the install will be noticed and the programs quickly removed. So James suggests that the DNS poisoning attack and malware installs may have been a test run by skilled and organized criminals, or a distraction--sleight of hand that keeps people looking at one hand while the other does the trick. Market-Driven Malware Whether the attack was a devious misdirection or a clumsy grab for pay-per-click dollars, it joins the growing trend toward market-driven malware. "The trend toward money making [in Internet attacks] is going to be the newest crime wave," says James. "It's pretty established now." At Kaspersky, Coursen says that about 70 percent of the malware tested in the lab is made for money, not mayhem. Recent major attacks like MyDoom and Bagle were all about income, he says. VeriSign's second-to-last Internet Security Intelligence Briefing, from November 2004, gives a reason for this new financial focus: "Over the past 12 months, Internet crime has become increasingly more organized and motivated by financial gain. While "script-kiddie" vandalism remains a serious problem, a significant number of teenage hackers have grown up and are now looking to make a living from crime."