Vulnerabilities / Threats

3/13/2012
06:07 PM
50%
50%

Malicious Proxies May Become Standard Fare

DNSChanger shows that funneling infected network traffic to central servers can enable massive fraud, but the technique has significant weaknesses, as well

A slew of security-as-a-service applications -- from Postini to OpenDNS to Zscaler -- reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.

Yet proxies are not just used by security companies, but by criminals as well. DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims' Internet requests to any site.

While DNSChanger itself did little damage with Internet traffic under the control of malicious actors, compromised systems quickly became laden with secondary infections.

"DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware," says Lars Harvey, CEO of security firm Internet Identity.

Last week, the U.S. Department of Justice announced that it had received the court's permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so that the approximately 4 million Internet user affected by DNSChanger could still use the Internet's DNS infrastructure.

In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than an estimated 400,000 systems, according to data from the DNSChanger Working Group.

And in the past month, government agencies and the Fortune 500 have stepped up their efforts to eradicate the malicious software. In January, about half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey says.

Yet while DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, says Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.

"All these proxies have a weakness for the bad guys in the way that things are logged," Kandek says. "However, with more technical fire power you could build your own system" that could better evade investigators.

DNS proxies, for example, could be used for more targeted attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network, such as Tor, to obfuscate traffic, it could slow down an investigation, Kandek says.

Yet another problem highlighted by DNSChanger is that clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC's management of the DNS servers by another 120 days.

While government agencies and the largest companies seem to have their DNSChanger infections under control, many other companies may still have infections. In addition, getting consumers' computers cleaned means working through Internet service providers, which have little incentive to help, says Kevin Houle, director of threat intelligence for Dell SecureWorks.  

"It is tremendously expensive for ISPs to reach out to their customers for any issue," he says. "The challenge becomes, does the person receiving the information have the interest or the wherewithal to do something about it?"

The U.S. could look to other countries for examples of how to better help less tech-savvy computer owners. Recently, Microsoft recognized Finland as one nation that had one of the lowest sustained rates of malware infection. One reason, the company says, is because the Internet service providers in the country work to identify and notify customer computers infected with malicious software.

To help smaller companies and consumers deal with pernicious malware infections, other Internet service providers will have to follow suit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
msrivastava222
50%
50%
msrivastava222,
User Rank: Apprentice
3/14/2012 | 4:17:17 PM
re: Malicious Proxies May Become Standard Fare
Wouldn't it be just easier to shutdown the DNS proxy?
Once the infected machines can no longer get to the internet the owners will try to figure out what's wrong and get the DNS settings fixed.
If that's too draconian then just redirect them to a web page giving instructions (with step by step page shots) on how to fix the problem.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.