March 11, 2005
Dust.Page.US Spyware Worm spreads, but You Can Block It
A new worm is afoot, tentatively called the dust.page.us worm because it downloads and installs spyware on victim computers from the site of the same name. Blocking traffic to the dust.page.us site appears to stop the virus from successfully infecting new systems. The IP addresses associated with this name are subject to change, however, so some cleverness is required to block access to it.
At this writing, lookup of the dust.page.us domain name yields the following IP addresses:
nslookup dust.page.us
Name: dust.page.us
Address: 24.45.69.153
Address: 69.56.179.10
Address: 130.74.201.43
Address: 158.65.196.156
You could just block these addresses in your router or firewall, but the worm author can easily change or add to the list by simply updating the DNS entry for dust.page.us. A quick fix is to intercept DNS lookups for the name and return a bogus private IP address, such as 192.168.255.254. The exact procedure for doing this varies with DNS server, but it�s not complex. Simply create a zone file for the fully qualified name and give it a single A record with the bogus IP address.
If you use a DNS server supplied by your ISP, you might want to notify them of this problem and suggest they incorporate the block in their DNS. By doing so they'll greatly reduce the spread of the worm.
As an adjunct to this technique, you should log all references to this domain name and IP address; any computer on your network looking it up or probing the address is likely infected with the worm. Virtually all firewalls support blocking and logging by IP address, and many support domain name blocking as well.
Hopefully the operators of the page.us domain will shut down the site soon.
Posted by Mel Beckman at March 11, 2005 11:06 AM
