By Fernando de la Cuadra, Panda Software
Monday, 7 March 2005 18:34 EST

Hackers appear to have an increasing interest in reaping financial reward from their actions and creations. If until now, phishing - using emails to lure users into entering data into spoofed online banking websites - was one of the most widespread fraud techniques, 'pharming' now poses an even greater threat.

Basically, pharming involves interfering with the name resolution process on the Internet. When a user enters an address (such as www.pandasoftware.com) this needs to be converted into a numeric IP address as 62.14.63.187. This is known as name resolution, and the task is performed by DNS (Domain Name System) servers. These servers store tables with the IP address of each domain name. On a smaller scale, in each computer connected to the Internet there is a file that stores a table with the names of servers and IP addresses so that it is not necessary to access the DNS servers for certain server names.

Pharming consists in the name resolution system modification, so that when a user thinks he or she is accessing to bank's web page, he or she is actually accessing the IP of a spoofed site.
Phishing owed its success to social engineering techniques, despite that not all users take the phishing bait, and so this success was limited. Also, each phishing attack was aimed at one specific type of banking service, further reducing the chances of success. Pharming on the other hand, can affect a far greater number of online banking users.

In addition, pharming isn't just a one-off attack, as is the case with phishing emails, but remains present on the computer waiting for the user to access the banking services.

The solution against this new kind of fraud lies, as ever, in antivirus security solutions. Pharming attacks depend on an application in the compromised system (this could be an exe file, a script, etc). But before this application can run, obviously it needs to reach the operating system. Code can enter the system through numerous channels, in fact, in as many ways as information can enter the system: el e-mail (the most frequent), Internet downloads, copied directly from CD or floppy, etc. In each of these information entry points, the antivirus has to detect the file with the malicious code and eliminate it, provided that is, it is registered as a dangerous application in the antivirus signature file.

Unfortunately, the propagation speed of malware today is head-spinning, and there more malicious creators and offering their source code to the rest of the hacker community to create new variants and propagate even more attacks. The virus laboratories don't have enough time to prepare the malware detection and elimination routines for new malicious code before they start spreading to a few PCs. Despite the efforts and improvements from virus labs, it is physically impossible for them to prepare an adequate solution in time against some of these threats that can spread in just a few minutes.