Paid Advertising
web application security lab

Pharming Worms Are Real

Am I going to have to eat my words? I was thumbing through some AV reports over the last few days and one report stuck out at me. Granted, I don’t follow each worm (not enough hours in the day for all the things I’d like to explore) but I was surprised to see a worm that had to do with Pharming. For those of you who are unfamiliar with the term, unlike phishing, pharming takes a more proactive approach by forcing people’s DNS entries to point to a different/malicious server. Frankly, I thought it was mostly the stuff of science fiction since no one could point to a single example of any instance of pharming greater than 100 people (a single ISP that got it’s DNS compromised). Granted, the trojan doesn’t mention pharming but that is the obvious next step if it isn’t already doing it (rather than just trying to get some click-through traffic on some websites).

Trojan.Flush.K also known as Trojan.Dnschanger modifies DNS entries on your Windows box and attempts to forward you to a malicious website. The obvious synergies with phishing attacks make this particular one stand out at me. Symantec rated this one very low (probably to do both with the lack of virulence and the ease of cleaning the system), but it’s interesting to note how potentially dangerous this could be if it were more widespread and written with more malice.

2 Responses to “Pharming Worms Are Real”

  1. Edward Z. Yang Says:

    I’m fairly certain that a lot of adware already does this: you type in and some CoolWebSearch variant pops up. That’s why a lot of antispyware software offer HOSTS protection.

  2. RSnake Says:

    Perhaps, I haven’t followed up on much pharming activity since I left my last job. I heard some rumblings about something similar that was happening in China - where some massive percentage of machines were trojaned.