Web hosting providers that can't keep DNS servers clean are exposing low-budget government Web sites to malware.
eWeek.com, by Lisa Vaas, December 4, 2007
Riddle: What do the city of Plainville, Kan., and the Transportation Authority of Marin County, Calif., have in common?
Answer: a Web hosting provider that can't seem to keep its DNS servers clean.
Both .gov domains in the past few months have seen their sites seeded with redirects to malicious servers in other countries that have pushed pornography, malware, Viagra ads and the like to site visitors.
TAM and Plainville are, in fact, two examples of what security researchers are calling an epidemic of sites being compromised through their hosting providers and injected with malicious Web attacker paths that lead to tool kits such as Icepack, Neosploit and Web Attacker. These malcode tool kits serve up anywhere from five to a dozen or more exploits that latch on to site visitors' machines through their browsers to infest the systems with malware.
Plainville and TAM have more than their victim status in common. On the face of it the two had separate hosting providers—StartLogic and IPowerWeb, respectively—but those two are in fact all but the same company, both headquartered at the same Phoenix address and both sharing the same customer contact listing.
IPowerWeb/StartLogic hadn't provided input by the time this story posted. Their track records paint a colorful portrait, however: The Better Business Bureau has processed 191 complaints about IPowerWeb in the last three years. StartLogic is not only rated as an "unsatisfactory" business at BBB but also has its own hate site, StartLogicSucks.com, which ranks third in a Google search on "StartLogic."
Not all site poisonings can be blamed on ISPs. Security problems arising from collaborative software such as wikis are the customer's fault, as are those associated with poorly written ASP code, sloppy PHP work and SQL hacks.
So it's not always the ISP's fault when a site gets seeded with garbage. Then too, there are plenty of ISPs that respond promptly when customers' security staffers report that their sites have been hijacked.
Judging by Morgan Bailey's experience, IPowerWeb is not one of those.
On Nov. 19, Bailey, an information security analyst for the Enterprise Security Office for the state of Kansas, noticed a number of discrepancies in the DNS registrar information for some sites pertaining to the city of Plainville, Kan. If he queried the DNS server to find out what company was hosting the Plainville.ks.gov domain name, it delivered one set of information. If he tweaked the host name to query about Plainville-kansas-gov, he received the correct DNS information. If he queried 7.t.city-of-plainville.ks.gov, he got servers located in Moldavia, or Serbia, or Estonia. The sites were redirecting to pages hosting malware
This was not the customer's fault. In fact, the city of Plainville didn't even have a site. The city had registered a domain name, but it had never gone live with a site and didn't have an IP address for its domain name. Everything that was being served on the pages was residing within IPowerWeb's servers, which had been infiltrated by attackers.
Because IPowerWeb's servers were vulnerable, criminals were able to register false DNS information, including different site names under the city of Plainville's domain name. Bailey's research turned up other sites with the same problem, also being hosted at IPowerWeb, including at least two other government sites: csm.ca.gov and Bridger-mt.gov.
Obviously, IPowerWeb had a problem. Getting it fixed would be an uphill battle, however, given the lack of human contact available.
Bailey found he had to send repeated e-mails to IPowerWeb's abuse e-mail contact—a frustrating exercise, given that the contact information was hidden and could only be retrieved via Google searches for cached information that had been removed from the site. When the ISP finally responded, it initially tried to brush him off by laying the blame back at the customer's feet.
"I sent them several e-mails," Bailey told eWEEK. "They returned [my e-mail] once saying it wasn't their fault, when it clearly was. I could trace everything back to their DNS servers."
Imagine the frustration of squeezing an ISP's site in an effort to find a responsive human to deal with a site that's been seeded with malware, with more and more innocent citizens potentially suffering drive-by malcode downloads as the clock ticks. Imagine that same frustration if the news has gotten out to security researchers, been blogged about, featured in news headlines, and resulted in the GSA pulling the plug on an entire state's domain, as happened in the case of California with TAM in October.
Review: Stay away from IPower
No comments:
Post a Comment