Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/13/2012
06:07 PM
50%
50%

Malicious Proxies May Become Standard Fare

DNSChanger shows that funneling infected network traffic to central servers can enable massive fraud, but the technique has significant weaknesses, as well

A slew of security-as-a-service applications -- from Postini to OpenDNS to Zscaler -- reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.

Yet proxies are not just used by security companies, but by criminals as well. DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims' Internet requests to any site.

While DNSChanger itself did little damage with Internet traffic under the control of malicious actors, compromised systems quickly became laden with secondary infections.

"DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware," says Lars Harvey, CEO of security firm Internet Identity.

Last week, the U.S. Department of Justice announced that it had received the court's permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so that the approximately 4 million Internet user affected by DNSChanger could still use the Internet's DNS infrastructure.

In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than an estimated 400,000 systems, according to data from the DNSChanger Working Group.

And in the past month, government agencies and the Fortune 500 have stepped up their efforts to eradicate the malicious software. In January, about half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey says.

Yet while DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, says Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.

"All these proxies have a weakness for the bad guys in the way that things are logged," Kandek says. "However, with more technical fire power you could build your own system" that could better evade investigators.

DNS proxies, for example, could be used for more targeted attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network, such as Tor, to obfuscate traffic, it could slow down an investigation, Kandek says.

Yet another problem highlighted by DNSChanger is that clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC's management of the DNS servers by another 120 days.

While government agencies and the largest companies seem to have their DNSChanger infections under control, many other companies may still have infections. In addition, getting consumers' computers cleaned means working through Internet service providers, which have little incentive to help, says Kevin Houle, director of threat intelligence for Dell SecureWorks.  

"It is tremendously expensive for ISPs to reach out to their customers for any issue," he says. "The challenge becomes, does the person receiving the information have the interest or the wherewithal to do something about it?"

The U.S. could look to other countries for examples of how to better help less tech-savvy computer owners. Recently, Microsoft recognized Finland as one nation that had one of the lowest sustained rates of malware infection. One reason, the company says, is because the Internet service providers in the country work to identify and notify customer computers infected with malicious software.

To help smaller companies and consumers deal with pernicious malware infections, other Internet service providers will have to follow suit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
msrivastava222
50%
50%
msrivastava222,
User Rank: Apprentice
3/14/2012 | 4:17:17 PM
re: Malicious Proxies May Become Standard Fare
Wouldn't it be just easier to shutdown the DNS proxy?
Once the infected machines can no longer get to the internet the owners will try to figure out what's wrong and get the DNS settings fixed.
If that's too draconian then just redirect them to a web page giving instructions (with step by step page shots) on how to fix the problem.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .