Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/13/2012
06:07 PM
50%
50%

Malicious Proxies May Become Standard Fare

DNSChanger shows that funneling infected network traffic to central servers can enable massive fraud, but the technique has significant weaknesses, as well

A slew of security-as-a-service applications -- from Postini to OpenDNS to Zscaler -- reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.

Yet proxies are not just used by security companies, but by criminals as well. DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims' Internet requests to any site.

While DNSChanger itself did little damage with Internet traffic under the control of malicious actors, compromised systems quickly became laden with secondary infections.

"DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware," says Lars Harvey, CEO of security firm Internet Identity.

Last week, the U.S. Department of Justice announced that it had received the court's permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so that the approximately 4 million Internet user affected by DNSChanger could still use the Internet's DNS infrastructure.

In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than an estimated 400,000 systems, according to data from the DNSChanger Working Group.

And in the past month, government agencies and the Fortune 500 have stepped up their efforts to eradicate the malicious software. In January, about half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey says.

Yet while DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, says Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.

"All these proxies have a weakness for the bad guys in the way that things are logged," Kandek says. "However, with more technical fire power you could build your own system" that could better evade investigators.

DNS proxies, for example, could be used for more targeted attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network, such as Tor, to obfuscate traffic, it could slow down an investigation, Kandek says.

Yet another problem highlighted by DNSChanger is that clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC's management of the DNS servers by another 120 days.

While government agencies and the largest companies seem to have their DNSChanger infections under control, many other companies may still have infections. In addition, getting consumers' computers cleaned means working through Internet service providers, which have little incentive to help, says Kevin Houle, director of threat intelligence for Dell SecureWorks.  

"It is tremendously expensive for ISPs to reach out to their customers for any issue," he says. "The challenge becomes, does the person receiving the information have the interest or the wherewithal to do something about it?"

The U.S. could look to other countries for examples of how to better help less tech-savvy computer owners. Recently, Microsoft recognized Finland as one nation that had one of the lowest sustained rates of malware infection. One reason, the company says, is because the Internet service providers in the country work to identify and notify customer computers infected with malicious software.

To help smaller companies and consumers deal with pernicious malware infections, other Internet service providers will have to follow suit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
msrivastava222
50%
50%
msrivastava222,
User Rank: Apprentice
3/14/2012 | 4:17:17 PM
re: Malicious Proxies May Become Standard Fare
Wouldn't it be just easier to shutdown the DNS proxy?
Once the infected machines can no longer get to the internet the owners will try to figure out what's wrong and get the DNS settings fixed.
If that's too draconian then just redirect them to a web page giving instructions (with step by step page shots) on how to fix the problem.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.