Security Experts:

DNSChanger is a Wake-up Call for Enterprise and Government DNS Resolver Management

Cybercrime Never Sleeps—Enterprises and Government Entities Must Take Heed and Improve the Way They Operate Online.

You may have read my recent SecurityWeek column entitled, “The Day The Internet Will Break For Millions.” The story tackled the looming deadline for temporary domain name system (DNS) servers. The FBI and its industry partners have erected these servers as part of “Operation Ghost Click” to keep the Internet working for millions of computers and routers infected with DNSChanger malware. That March 8 deadline is fast approaching, and the consequences could be dismal not just for individuals but also for large organizations worldwide: suddenly, enterprises with routers and computers affected by DNSChanger could find their employees unable to access the Internet.

DNSChanger MalwareBut this looming Internet blackout is only an example of a bigger issue. In this second of my two-part series on the large footprint of DNSChanger, I will tackle the impact of the malware and simple solutions to counter similar DNS attacks on enterprises and major government agencies.

DNSChanger Provides a Potential Window Into Proprietary Information

If an employee has DNSChanger on their computer, it means that particular enterprise is susceptible to having proprietary information stolen. That’s because DNSChanger disables Anti-Virus (A/V) applications and regular software updates, exposing victims to attacks from other virus families. This enables criminals to view any data, messages and more on a victim’s computer, depending on what the machines are infected with. This risk points directly to a major vulnerability that is inherent at most large companies and government entities—the inconsistency of how DNS resolution is administered.

DNS Resolution—More Control Is Needed

DNSChanger exemplifies the need for administrators of private networks, particularly enterprise and governments, to fully control the DNS resolution infrastructure and operations of their networks. While most infected machines have been discovered on residential IP space, we still see thousands of infections on government, enterprise, and other “should have known better” networks. Specifically, IID recently reported that about half of all Fortune 500 companies and major U.S. government agencies are infected with DNSChanger.

How is this possible? DNSChanger relies on one of the most basic architectural “blind spots” of the Internet when it comes to security—that any computer’s DNS resolution can be configured to use any responsive recursive DNS server on the Internet. While this is helpful for flexibility, redundancy, and convenience, it provides a trivially easy way for attackers to circumvent numerous security mechanisms, and literally control all user interaction with the Internet.

For example, with DNSChanger, DNS entries for popular search engine domains like google.com were changed to deliver bogus search results from rogue servers. It is also just as easy to redirect calls for product updates away from A/V vendors, and an easy step from there to redirecting domains for banks, e-mail servers, governments, or other highly sensitive domains to any place a criminal desires. Criminals can then harvest credentials, e-mails or other data at their leisure —all automated.

Where a DNS Firewall Fits In

I’ve already covered the importance of using a “DNS Firewall” to protect enterprise employees in a prior column for SecurityWeek. A DNS firewall is another way of saying a secure DNS resolver. It prevents enterprise employee and system connections to known malicious Internet locations, and can provide immediate feedback to enterprise security teams about potential compromises like botnets and advanced persistent threats on their networks. If you are using a DNS Firewall, your employees’ chances of being infected in the first place by DNSChanger become much slimmer, as the infection vectors used to get this kind of malware onto their computers are often thwarted altogether.

However, at some point, as with all defenses, you have to assume that the bad guys are going to get into your network and install something like DNSChanger on some of your machines. Making matters worse, many of your employees may already circumvent policy enforced at the DNS level by using external, unauthorized, and ultimately untrusted DNS resolvers, often unknowingly. Many of the “free” DNS resolver services available today let users surf “unfettered” but come at the cost of advertising or worse, tracking your enterprises’ every lookup of an external domain—a gold mine for gathering data on who you work with, sell to, are talking with, or perhaps even planning to partner with. I subscribe to the adage that if an Internet service is “free,” information about what YOU do is probably the product being sold to others.

A Simple Solution—Policy Enforcement

So how do you protect yourself from a rogue DNS resolver like DNSChanger or even just unauthorized, untrusted DNS resolvers that could be mining your organization’s data? There are actually some fairly simple policy enforcement mechanisms that can be put in place to restrict users on your network into using an authorized DNS resolver—hopefully one equipped with a DNS Firewall as well.

The easiest and most comprehensive method is to reroute all DNS traffic at your firewalls/gateways. This is as simple as redirecting all port 53 traffic (both UDP and TCP) to your own designated recursive DNS servers. If you’re not familiar with this technique, think about how hotels or network access points in airports often redirect your requests in order to make sure you have to log into their services to utilize the Internet—same concept. Thus a user or virus can attempt to use different DNS servers, but data packets involved in all DNS lookups get redirected to organizationally approved servers instead.

This has the added benefit of allowing you to log all DNS traffic at your resolver, so you can look for anomalies that may indicate an undetected infection or data exfiltration. You can also use such logging to spot the rare malware that uses DNS tunneling for communications.

If you have configuration management in place for your networked machines, then you can also set up rules to ensure that only your trusted resolvers are allowed in the basic system network configuration. This can be enforced for full virtual private network (VPN) access clients as well. Another good idea is to monitor the network for potential rogue traffic destined for port 53 that isn’t being rerouted properly. Typical DNS traffic is UDP based, and has some telltale characteristics, so even if some non-standard port is being used, monitoring or even deep-packet inspection techniques can be used to find the wayward DNS traffic that clever botnets (or employees) may be hiding from the network administrator.

It is important to note that such techniques are probably not appropriate for Internet service providers or other “open access” providers, and really pertain to a closed network environment where security is essential, and users’ goals and interests are aligned with the organization’s security policies. ISP’s attempting to reroute DNS traffic are likely to find that many users will come up with workarounds that would require expensive, intrusive and controversial deep packet inspection measures on the ISP’s part. That or even worse, customers may drop their subscriptions with their ISP if they feel it is working against their interests. These techniques are for enterprises and government agencies—don’t try this at home!

The Game is Changing

As we’ve learned with DNSChanger and its infection of over four million computers and routers that are presumably packed with plenty of security tools, cybercriminals aren’t using simple techniques to wreak havoc. They are using complex methods to attack the Internet where it is most vulnerable: its core infrastructure. As evidence of this permanent battle, despite the suspects behind DNSChanger being behind bars, members of the security community have already spotted new malware similar to DNSChanger redirecting new victims to new networks of rogue DNS servers. These techniques work for cybercriminals, so they’re not going to stop anytime soon.

With repeated examples, the most recent being DNSChanger, of how cybercriminals can easily exploit cracks in the Internet’s foundation, it is clear that enterprises and government entities must take heed and improve the way they operate online. A proactive approach to stay a step ahead of the always-evolving “evildoers” must be taken.

Subscribe to the SecurityWeek Email Briefing
view counter
Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.
view counter