Suspicious server probes multiply

The number of suspicious probes and scans designed to find vulnerable domain name servers on corporate networks shot up 280% last month and continues to climb, according to IT managers and a new survey conducted by a network security monitoring firm.

A survey released last week by Alameda, Calif.-based Pilot Network Services Inc. found that suspected hackers made as many as 6,000 attempts last month -- compared to approximately 2,200 in December -- to locate vulnerable domain name servers across corporate networks. Pilot collected the information for the survey from its regional network operations centers, which monitor 70,000 corporate networks belonging to Pilot clients worldwide.

The spike in the number of scans came as no surprise to many users and security experts, who said hackers are stepping up their efforts to uncover corporate systems that haven't been fixed for vulnerabilities discovered last month in the Berkeley Internet Name Domain (BIND) server from the Redwood City, Calif.-based Internet Software Consortium.

In fact, many companies don't even know they are being scanned or if their networks have been compromised, security specialists said.

Meanwhile, other experts warned that hackers with track records of developing sophisticated automated hacking tools are already planning to cross-breed Internet worms, such as the recent Ramen worm, with other DNS exploits, thus creating the potential for widespread network problems.

"There are a couple of worms on the horizon that will probably be the next breaking story," said Amit Yoran, CEO of Riptech Inc., a network security firm in Alexandria, Va. "In literally a matter of hours, a very large number of zombie hosts can be created for planned [distributed denial-of-service] attacks, multiple hopping points to cover your tracks and other activities."

IT managers across the nation also are reporting a rise in DNS-related probes, with many attributing the increase to the Jan. 29 public announcement of vulnerabilities in BIND.

Keith Morgan, a network security specialist at Terradon Communications Group LLC, a Nitro, W. Va.-based Internet software developer for Fortune 500 firms, said his company has detected more than 15,000 individual probes for vulnerabilities on its networks since October. But the scans recently shifted from those looking for vulnerable file transfer protocol servers to Port 53, where DNS resolution queries are handled in older versions of BIND.

"Our remote sites and VPN users connecting over both dial-up and broadband technologies are also reporting major increases in scans for DNS servers," said Morgan.

Sean Brown, a systems administrator at Applied Geographics Inc., a geographic information systems consulting firm in Boston, said he has seen a small rise in scans since Jan. 30. But the impact of those scans can be significant, he said. "I had only seen one Class C sweep for DNS in January before the announcement," said Brown, referring to a network that contains 256 IP addresses. "I've since seen four."

Although that may not seem like a lot, each scan is probably looking at an entire network of anywhere from 256 IP addresses up to 65,536, said Brown. "The number of potentially vulnerable systems is huge."

Companies belonging to the Information Systems Security Association (ISSA), an Oak Creek, Wis.-based nonprofit group, are also reporting an increase in BIND-related scans, according to an ISSA member who requested anonymity.

In addition, a spokesman for the CERT Coordination Center at Carnegie Mellon University in Pittsburgh confirmed that there has been a significant increase in the number of BIND-related scans.

Still, the cross-breeding of viruses and Internet worms to exploit security gaps in BIND represents a major shift in the way virus writers operate, said Chris Klaus, chief technology officer at Internet Security Systems Inc. in Atlanta.

"Now we're seeing an increase in the number of virus writers using the hacker mentality," Klaus said. Viruses are being designed that automatically search out compromised systems, he said. "If companies haven't thought of a way to routinely check their machines, they're sitting ducks."

DNS Probes on the Rise

Recent Network Security Statistics:
Attempts to breach online security mechanisms rose 58% in January, to 5,568, from 3,534 last December.
Attempts to find vulnerable servers increased 280% to approximately 6,000.
Stealth scans are the most common types of malicious activity and increased 88% to 3,102.
Backdoor-G and NetBus Trojan scans have increased in number, while Hack-a-Tack and Back Orifice have decreased and appear to be out of favor.

This story, "Suspicious server probes multiply" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon