New Trojan appears to attack VeriSign
Andrew Colley
ZDNet Australia
October 02, 2003, 14:50 BST

A Trojan program has emerged in Australia that may be triggering a concerted assault on VeriSign's domain name

Sophos' antivirus team has confirmed that it is in the preliminary stages of analysing a new Trojan that may be linked to an organised attack on VeriSign's domain name servers. Paul Ducklin, head of technology, Sophos Asia-Pacific, said the Trojan, dubbed Qhost1, seduces the user into going to a Web site that exploits a security vulnerability in Internet Explorer and inserts malicious code onto the victim's personal computer.

Sophos's revelation coincides with unconfirmed reports from a source within the technical ranks of one Australia's major ISPs of a spike in support calls from customers whose DNS server settings had been tampered with, in what appears to be an orchestrated attack on Internet security giant VeriSign.

It's changing the IP address of the DNS servers from ours [domain name] across to VeriSign's to launch a DoS attack on them, said the source.


The source told ZDNet Australia that the activity appeared to be promoted by a virus or Trojan-like entity targeting Windows 2000 and Windows XP systems.


Ducklin said was unable to confirm that the new Trojan was implicated in the activity described by the source but confirmed it appeared that Qhost1 was designed to alter the DNS setting of its victim PCs.


This particular Trojan messes up your DNS so in theory it could be targeted against anyone, said Ducklin


What I can say is that in the light of what [ZDNet Australia] has told us, it has made us interested in looking at this particular sample so that we can match it up if further samples come in and, if appropriate, there will be further notifications on our Web site, he said.


Sophos expected to have a new definition file posted to its Web site within the hour.

ZDN