In the never-ending war between security researchers and malware authors, each side continually attempts to outmaneuver or out-engineer the other. The latest security threat to hit the white hat radar involves a new form of system-level DNS hijacking. DNS hijacking, in and of itself, is nothing new, but it's now apparently possible to reliably initiate such attacks using web-based malware, rather than relying on an end-user to download or activate a suspicious attachment.

According to a recent report by PCWorld, research teams working out of Google and the Georgia Institute of Technology have discovered a series of open-recursive DNS servers that were classified as behaving "suspiciously." Open-recursive DNS servers are DNS servers that will answer any lookup request, no matter where it originates. So long as the DNS servers return accurate information—and the vast, vast, majority do—everything is kosher. When open DNS servers don't return valid information, however, they open the door to an entire world of problems.

Poisoning a DNS server allows the malware author to send your computer virtually anywhere he wants. Since your system is being driven to false web sites based on DNS information, there's no way for any malware suite running locally to detect or report on the problem—at least, not once the damage has been done. There are still limitations on what can be done; a false web site set up to look like PNCBank (for example) wouldn't be able to authenticate with the SSL certificate stored on a users' system. Password and logon information could still be gathered in other ways, however, and some users would undoubtedly ignore warning signs by trusting the web address telling them they really were at (www.securesite.com).

This method of poisoning would also allow for cross-site scripting exploits. If a user's computer is set to allow all JavaScript and cookies from, say, MySpace, the fake MySpace web site would be able to run code as if it was the real web site. This opens the door to all sorts of further exploits and general bad things, all of which might go undetected by the user for quite some time. This type of attack could also be used to build an effective botnet—and more botnets are something we really don't need.

Web 2.0 can act as something of an enabler in this process. Webpage mashups may be a hot marketing term, but pulling content from multiple web sites simultaneously is also one means of infecting the people that visit a site without them knowing what vector the attack initiated from. Fortunately, there are already some solutions to this particular problem.

Vista's UAC would actually defend a system from this type of attack by notifying the user that a program was attempting to change the system's DNS settings. I'm not sure if current malware software from various vendors would detect and prevent DNS-level hijacking, but again, such protection and notification could be implemented on a software level. The availability of user-level protection is by no means a complete solution to the problem; software companies cannot assume that all users avail themselves of the appropriate level of malware software or install the appropriate patches, but it is a place to start.