Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/13/2012
06:07 PM
50%
50%

Malicious Proxies May Become Standard Fare

DNSChanger shows that funneling infected network traffic to central servers can enable massive fraud, but the technique has significant weaknesses, as well

A slew of security-as-a-service applications -- from Postini to OpenDNS to Zscaler -- reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.

Yet proxies are not just used by security companies, but by criminals as well. DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims' Internet requests to any site.

While DNSChanger itself did little damage with Internet traffic under the control of malicious actors, compromised systems quickly became laden with secondary infections.

"DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware," says Lars Harvey, CEO of security firm Internet Identity.

Last week, the U.S. Department of Justice announced that it had received the court's permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so that the approximately 4 million Internet user affected by DNSChanger could still use the Internet's DNS infrastructure.

In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than an estimated 400,000 systems, according to data from the DNSChanger Working Group.

And in the past month, government agencies and the Fortune 500 have stepped up their efforts to eradicate the malicious software. In January, about half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey says.

Yet while DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, says Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.

"All these proxies have a weakness for the bad guys in the way that things are logged," Kandek says. "However, with more technical fire power you could build your own system" that could better evade investigators.

DNS proxies, for example, could be used for more targeted attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network, such as Tor, to obfuscate traffic, it could slow down an investigation, Kandek says.

Yet another problem highlighted by DNSChanger is that clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC's management of the DNS servers by another 120 days.

While government agencies and the largest companies seem to have their DNSChanger infections under control, many other companies may still have infections. In addition, getting consumers' computers cleaned means working through Internet service providers, which have little incentive to help, says Kevin Houle, director of threat intelligence for Dell SecureWorks.  

"It is tremendously expensive for ISPs to reach out to their customers for any issue," he says. "The challenge becomes, does the person receiving the information have the interest or the wherewithal to do something about it?"

The U.S. could look to other countries for examples of how to better help less tech-savvy computer owners. Recently, Microsoft recognized Finland as one nation that had one of the lowest sustained rates of malware infection. One reason, the company says, is because the Internet service providers in the country work to identify and notify customer computers infected with malicious software.

To help smaller companies and consumers deal with pernicious malware infections, other Internet service providers will have to follow suit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
msrivastava222
50%
50%
msrivastava222,
User Rank: Apprentice
3/14/2012 | 4:17:17 PM
re: Malicious Proxies May Become Standard Fare
Wouldn't it be just easier to shutdown the DNS proxy?
Once the infected machines can no longer get to the internet the owners will try to figure out what's wrong and get the DNS settings fixed.
If that's too draconian then just redirect them to a web page giving instructions (with step by step page shots) on how to fix the problem.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.