Two days after it released an advisory warning of several holes in a key piece of Internet software, Network Associates was the target of a DoS (denial of service) attack.
The attack degraded the performance of the company's Web site for about 90 minutes, company officials said, but the site never went completely off line.
"We saw the attack as soon as it started," said Jim Magdych, manager of COVERT Labs at PGP Security, the division of Network Associates that sent out the advisory. "Our IT people were able to restore full service within about an hour and a half."
The anti-virus and security vendor had issued a warning, identifying four vulnerabilities in the Berkeley Internet Name Domain (or BIND) software that runs most of the Internet's domain name servers. Two of the holes are buffer overflows; the other two have to do with the way error messages are coded.
Two days after the warning, someone using the e-mail address nobody@replay.com posted some sample code to the Bugtraq security mailing list that was supposedly an exploit that would take advantage of one of the BIND buffer overflows.
Instead, the code turned out to be a well-disguised trojan designed to launch a DoS attack against Network Associates' dns1.nai.com name server.
Payback time?
Some security experts have speculated that the attack was payback for Network Associates' role in closing a known hole in the DNS system.
"I think that the exploit code had been out there for a while and this was someone getting angry at [Network Associates] for helping to fix it," said Romain Agostini, director of product management at Entercept Security Technologies.
The introduction to the alleged exploit reads: "Implements TSIG buffer mismanagement overflow for incorrect signatures. That one was really nice bug! Thanks NAI for nice bug!"
At least one person on the Bugtraq list said he had compiled and run the code.
Network Associates officials said that the DoS attack on their site could also have been the result of numerous people compiling and running the code from the Bugtraq posting before they realized it was a trojan, and not from an organized DoS effort.
Either way, it had the desired effect.
