Malware infection suspected at ISC, providers of the BIND DNS server software

The Internet Systems Consortium, better known as ISC, thinks it might have had a malware infection.

That’s the organisation responsible for BIND, a DNS server that is very widely used in production, even though it’s officially just a so-called reference implementation.

As you probably know, DNS, short for Domain Name System, is the intergalactic duct tape that holds the internet together.

Without DNS, you’d have to remember a numeric identifier, such as 31.​222.​175.​174 or 2a03:​2880:​2130:​cf05:​face:b00c::1, for every website you wanted to visit.

Human-friendly names like sophos.com and facebook.com are only possible with DNS.

Interestingly, Paul Vixie, founder of the company that led to the ISC, and chief author of the BIND source code, publicly declared about four years ago that the anti-virus industry was “dud.”

But the ISC seems to have moved on since then, as it is now officially recommending a virus check if you have visited its website lately:

We believe the web site may have become infected with malware. Please scan any machine that has accessed this site recently for malware.

The explanation, such as it is, goes on to blame the parts of ISC’s network that run WordPress, but it doesn’t yet say what went wrong.

What might have happened?

Typical hacking and malware problems with WordPress installs, if you’d like to review your own WordPress setup, include:

• Unpatched WordPress software or plugins, leaving known security holes open for attackers.
• Poor password hygiene, including weak passwords, shared or re-used passwords, and no two-factor authentication.
• Poisoned third-party content such as adverts served from external servers.
• Overly-liberal access controls giving too much power to too many users.

→ For a more detailed look at keeping WordPress secure, you might like our article: How to avoid being one of the 73% of WordPress sites vulnerable to attack.

The good news is that ISC is being pretty straightforward on its holding page, even if it doesn’t yet know exactly what happened or how far the crooks penetrated.

They think they had malware, and they’ve said so without beating around the bush.

It would be useful to hear what malware was found, so let’s hope ISC can work out how the breach unfolded.

Infected or affected?

At the moment, it sounds as though we’re talking about malicious software that actually runs on the server, such as a Linux/UNIX exploit kit, rather than malware stored on the server to be pushed out onto visitors’ Windows and Mac desktops.

Exploit kits are usually used to orchestrate the infection of unpatched visitors by automatically trying to exploit a range of vulnerabilities in the visitor’s browser, Flash player, Java runtime, and so on.

That’s scary stuff, but if the exploit kit doesn’t have any Windows or Mac malware handy that it can disseminate to vulnerable computers, then the risk to visitors – even those with insecure or unpatched computers – is usually limited.

ISC’s holding page suggests that we’re looking at a server infection that can’t spread any other malware any further, which would be a silver lining to the incident.

How can you help?

Tracking down malware problems after the fact is a tricky task, especially if only a small subset of visitors were affected, or if the crooks realised you were onto them and cleared out before you could make a forensic grab of the malware files involved.

So if you think you did get infected as a result of visiting its website, please do as the ISC asks, and let the organisation’s Security Officer know.

Importantly, it seems almost certain that the actual source code of ISC products, including BIND itself, was unaffected.

So, just as when ICANN was breached but the crooks couldn’t actually change any DNS zone files, the crooks don’t seem to have been able to fool around with any ISC product.