DNSChanger shows that funneling infected network traffic to central servers can enable massive fraud, but the technique has significant weaknesses, as well

Dark Reading Staff, Dark Reading

March 13, 2012

4 Min Read

A slew of security-as-a-service applications -- from Postini to OpenDNS to Zscaler -- reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.

Yet proxies are not just used by security companies, but by criminals as well. DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims' Internet requests to any site.

While DNSChanger itself did little damage with Internet traffic under the control of malicious actors, compromised systems quickly became laden with secondary infections.

"DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware," says Lars Harvey, CEO of security firm Internet Identity.

Last week, the U.S. Department of Justice announced that it had received the court's permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so that the approximately 4 million Internet user affected by DNSChanger could still use the Internet's DNS infrastructure.

In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than an estimated 400,000 systems, according to data from the DNSChanger Working Group.

And in the past month, government agencies and the Fortune 500 have stepped up their efforts to eradicate the malicious software. In January, about half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey says.

Yet while DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, says Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.

"All these proxies have a weakness for the bad guys in the way that things are logged," Kandek says. "However, with more technical fire power you could build your own system" that could better evade investigators.

DNS proxies, for example, could be used for more targeted attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network, such as Tor, to obfuscate traffic, it could slow down an investigation, Kandek says.

Yet another problem highlighted by DNSChanger is that clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC's management of the DNS servers by another 120 days.

While government agencies and the largest companies seem to have their DNSChanger infections under control, many other companies may still have infections. In addition, getting consumers' computers cleaned means working through Internet service providers, which have little incentive to help, says Kevin Houle, director of threat intelligence for Dell SecureWorks.  

"It is tremendously expensive for ISPs to reach out to their customers for any issue," he says. "The challenge becomes, does the person receiving the information have the interest or the wherewithal to do something about it?"

The U.S. could look to other countries for examples of how to better help less tech-savvy computer owners. Recently, Microsoft recognized Finland as one nation that had one of the lowest sustained rates of malware infection. One reason, the company says, is because the Internet service providers in the country work to identify and notify customer computers infected with malicious software.

To help smaller companies and consumers deal with pernicious malware infections, other Internet service providers will have to follow suit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights