Security-as-a-service applications reroute domain-name system (DNS) requests through centralized servers or proxies to detect security threats and sanitize traffic before they reach the client network.
The catch is, not only do security companies use proxies, but so do the bad guys.
The malware called DNSChanger, which authorities shut down in November, used such a strategy to reroute victims to custom advertisements and malicious installers. When the program compromised a system, it would replace the list of valid DNS servers with entries that pointed to servers controlled by the criminal operators, allowing the botnet owners to reroute victims’ Internet requests to any site.
While DNSChanger itself did little damage with Internet traffic under the control of malicious criminals, compromised systems quickly became laden with secondary infections.
“DNS Changer is annoying for enterprises, but the scary part for corporate IT people is that any compromised machine is probably owned by a bunch of other malware,” said Lars Harvey, chief executive of security firm Internet Identity.
Just last week, the U.S. Department of Justice received the court’s permission to continue to maintain the proxies seized during the takedown of the DNSChanger malware network for another 120 days. During the takedown, known as Operation Ghost Click, four months ago U.S. law enforcement worked with the private sector to keep the proxies alive so the 4 million Internet user affected by DNSChanger could still use the Internet’s DNS infrastructure.
In the past four months, clean-up has progressed, albeit slowly, with the number of infected systems declining to less than 400,000 systems, according to the DNSChanger Working Group.
And in the past month, government agencies and the Fortune 500 stepped up their efforts to eradicate the malicious software. In January, half of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router infected with DNSChanger, according to Internet Identity. Now only three government agencies and less than 100 companies in the Fortune 500 are showing signs of infection, Harvey said.
While DNSChanger was successful, the technique of using the DNS infrastructure to intercept and modify Web traffic is fairly easy to investigate and shut down because of the public nature and interconnectedness of the domain-name system, said Wolfgang Kandek, chief technical officer of vulnerability-management firm Qualys.
“All these proxies have a weakness for the bad guys in the way that things are logged,” Kandek said. “However, with more technical fire power you could build your own system” that could better evade investigators.
DNS proxies, for example, could target attacks that might not draw as much attention as 4 million infected computers connecting to malicious servers. Or if future attacks used an anonymizing network to obfuscate traffic, it could slow down an investigation, Kandek said.
Yet another problem highlighted by DNSChanger is clean-up is difficult. The Internet Software Consortium is currently managing DNS servers at the addresses formerly used by DNSChanger. Infected computers send DNS requests to those servers rather than the malicious hubs taken down by law enforcement. Even with knowing the Internet address of every victim, however, authorities have had a hard time getting the infections mitigated. Thus, the court requested to extend the deadline for shutting down the ISC’s management of the DNS servers by another 120 days.