Sophos Cloud Optix
The Internet Systems Consortium, better known as ISC, thinks it might have had a malware infection.
That’s the organisation responsible for BIND, a DNS server that is very widely used in production, even though it’s officially just a so-called reference implementation.
As you probably know, DNS, short for Domain Name System, is the intergalactic duct tape that holds the internet together.
Without DNS, you’d have to remember a numeric identifier, such as 31.222.175.174 or 2a03:2880:2130:cf05:face:b00c::1, for every website you wanted to visit.
Human-friendly names like sophos.com and facebook.com are only possible with DNS.
Interestingly, Paul Vixie, founder of the company that led to the ISC, and chief author of the BIND source code, publicly declared about four years ago that the anti-virus industry was “dud.”
But the ISC seems to have moved on since then, as it is now officially recommending a virus check if you have visited its website lately:
We believe the web site may have become infected with malware. Please scan any machine that has accessed this site recently for malware.
The explanation, such as it is, goes on to blame the parts of ISC’s network that run WordPress, but it doesn’t yet say what went wrong.
What might have happened?
Typical hacking and malware problems with WordPress installs, if you’d like to review your own WordPress setup, include:
- Unpatched WordPress software or plugins, leaving known security holes open for attackers.
- Poor password hygiene, including weak passwords, shared or re-used passwords, and no two-factor authentication.
- Poisoned third-party content such as adverts served from external servers.
- Overly-liberal access controls giving too much power to too many users.
→ For a more detailed look at keeping WordPress secure, you might like our article: How to avoid being one of the 73% of WordPress sites vulnerable to attack.
The good news is that ISC is being pretty straightforward on its holding page, even if it doesn’t yet know exactly what happened or how far the crooks penetrated.
They think they had malware, and they’ve said so without beating around the bush.
It would be useful to hear what malware was found, so let’s hope ISC can work out how the breach unfolded.
Infected or affected?
At the moment, it sounds as though we’re talking about malicious software that actually runs on the server, such as a Linux/UNIX exploit kit, rather than malware stored on the server to be pushed out onto visitors’ Windows and Mac desktops.
Exploit kits are usually used to orchestrate the infection of unpatched visitors by automatically trying to exploit a range of vulnerabilities in the visitor’s browser, Flash player, Java runtime, and so on.
That’s scary stuff, but if the exploit kit doesn’t have any Windows or Mac malware handy that it can disseminate to vulnerable computers, then the risk to visitors – even those with insecure or unpatched computers – is usually limited.
ISC’s holding page suggests that we’re looking at a server infection that can’t spread any other malware any further, which would be a silver lining to the incident.
How can you help?
Tracking down malware problems after the fact is a tricky task, especially if only a small subset of visitors were affected, or if the crooks realised you were onto them and cleared out before you could make a forensic grab of the malware files involved.
So if you think you did get infected as a result of visiting its website, please do as the ISC asks, and let the organisation’s Security Officer know.
Importantly, it seems almost certain that the actual source code of ISC products, including BIND itself, was unaffected.
So, just as when ICANN was breached but the crooks couldn’t actually change any DNS zone files, the crooks don’t seem to have been able to fool around with any ISC product.
<>
Actually, I said “A/V is dead, but sadly, noone will ever get fired for buying it.” However, I was happy to see ISC suggest that their recent web site visitors “Please scan any machine that has accessed this site recently for malware.”
As a Windows user myself, on my primary laptop, I use Microsoft’s A/V scanner whenever I think I might be infected. These scanners tend to be 100% accurate in hindsight, so, they can’t protect me, but they can help me clean up.
Prevention is a matter of continuous discipline and mental hygiene on the part of end users, it’s not some kind of active defense you can buy as a product or a service. Don’t use Internet Explorer; use a non-privileged account for your main work; only use the Administrator account when you actually need it; stuff like that. You’ll still get infected, and you’ll still need to run Microsoft’s A/V scanning tool when you get infected, but you can keep it down to a dull roar.
Must be your accent. I heard you say “dud.”
I think we agree that 100% malware prevention isn’t something you can buy in a package. (The very existence of Sophos Naked Security, where we do our best to give our readers security tips on things they can do over and above any protective technology they may have, including our own products, is IMO a fairly solid proof of that.)
But your implication that anti-malware scanners are entirely reactive and have no preventative value simply isn’t true…
Paul Vixie, Using a Microsoft AV scanner is like using a 14 year old sophomore basketball player in a pro basketball game.
AV is not dead….. It only is a weak layer to stop the millions of low hanging fruit malware files.
Well, talk about damning with the faintest praise 🙂