Symantec On Alert After Surge In Net Activity

ZDNET via Google News ^ | October 3,2003 | Andrew Colley

[John W]

A unexplained rise in domain name server-related traffic worldwide may be related to a Trojan on the loose, says the antivirus firm

Symantec's security service has been placed on alert in response to a substantial jump in domain name server-related activity across the globe.

The computer-security specialist has stepped-up efforts to monitor network ports associated with domain name servers. Vincent Weafer, senior director of US-based Symantec Security Response, said the company's DeepSight firewall sensors had begun reporting an unusually large volume of networks events commonly associated with DNS-activity.

It appears that some of Symantec's concern has been driven by the recent re-appearance of a variety of Trojan that exploits a security flaw in Microsoft's Internet Explorer that allows miscreants to insert malicious code into Windows PCs through Web and HTML content.

The payload delivered by the latest variety of Trojan to appear, Qhosts-1, manipulates the way PCs find Web sites on the Internet. Qhosts-1's alters the PC's domain name server setting -- normally specified by the user's ISP -- and instructs it to link a commonly used search engine site with a network address that appears to belong to a Texas-based ISP.

While Symantec is yet to find the source behind the unusual jump in DNS-activity, Weafer said QHosts-1 may be the culprit. However, antivirus companies have given the Trojan a low threat rating, having received few reports of infection and he appears to have some doubts.

"A recent Trojan (Trojan.Qhosts) may be the cause of some or all of this activity, however, of the samples Symantec has received, they all point to google.com," said Weafer.

A higher than reported infection rate of Qhosts-1 is among the possible explanations for the phenomenon Symantec is considering.

According to Weafer there was evidence of links between servers implicated in spamming activities and the Trojan, which he said may point to the possibility that Qhosts-1 has propagated more widely than previously thought possible through email-borne HTML content.

Symantec said the company won't know the cause of the activity spike for 24 hours.

[q_an_a]

I think the ISP is comcast. The had Texas problems yesterday and may be one of those targets of life like gates. They are in the cable TV and internet business and an easy target of PO types that are easy to anger.Watch for them over the next few months to be a ready target.

[Support Free Republic]

	God Bless Those who Protect our Liberty --- Past, Present and Future.
Please visit the FR Fundraiser

[Tank-FL]

LiveUpdate Time!

[TechJunkYard]

.. on alert in response to a substantial jump in domain name server-related activity across the globe.

Interesting... I noticed some probes on my nameserver from APNIC addresses on September 28th.

                I/P:Sock             Origin I/P:Sock
21:00:47 28 Sep .50:53     PROTO=17  211.13.227.66:10287
21:00:47 28 Sep .50:53     PROTO=17  202.222.25.4:46353
21:00:47 28 Sep .50:53     PROTO=17  202.160.241.130:61725
21:00:57 28 Sep .50:53     PROTO=17  211.13.227.66:10287
21:00:57 28 Sep .50:53     PROTO=17  202.222.25.4:46353
21:00:57 28 Sep .50:53     PROTO=17  202.160.241.130:61725