Stopping DNSChanger Trojans

We need to be conscious of the decisions we make that balance between better security and our freedom.  We all accept the increasing physical security measures implemented at public buildings, monuments, and obviously airports.  Some of us are more reluctant than others to accept these measures.

We also need to be acutely aware of this same balance in the networked/virtual world.  Unfortunately, the facts are often obscured in techno-jargon or complex protocols.  It is important that we try to cut through the chaff.

The security of our DNS infrastructure is an example.  DNS is like the GPS of the Internet.  If you are trying to get someplace and DNS lies about where to go, you may end up in a bad neighborhood.  For example, you may be pointed to phishing web site that is trying looking like your bank and steal your user ID and password.

The FBI recently brought the existence of DNSChanger malware into the public.  That DNSChanger Trojan operated for a number of years propagating numerous versions of the DNSChanger Trojan through a variety of malware payloads.

In this case, the criminals’ objective was to inject fraudulent advertising on web sites.  This is fortunate for the end users since the criminals are not known to have been directing users to phishing sites and stealing user identity information.  It was not so good for advertisers who likely lost millions in revenue as noted by the more than $14M in assets were seized in the raid.  The consequences of this DNSChanger Trojan could have been worse.

And in the wake of the FBI takedown, numerous organizations are struggling with the process of helping to make victims aware of the latent infections so the temporary DNS servers can be turned off.

The FBI’s Operation Ghost Click may have neutralized the most prolific DNSChanger malware so far, but the underlying vulnerabilities still exist and there are still other similar Trojans in the wild.

How Do We Prevent DNS Changer Trojans from Working?

The DNSChanger Trojan caused computers to use DNS servers that were operated by the criminals, and those DNS servers would occasionally provide intentionally misleading responses (directions).  This allowed the criminals to direct users to bad neighborhoods where they could be robbed.  So how do we prevent this from happening?

Of course, appropriate protections should be taken on the computer itself.  This includes keeping the computer operating system and applications up to date, use of quality security software, and practicing safe computer use habits.  But it is well known this isn’t enough.  We cannot rely solely on the computer to protect itself.  Defense in depth is the best strategy to defend against security threats in the foreseeable future.

One way would be to take steps in the network to assure users are not inadvertently pointed to rogue DNS servers on the Internet.  Users could be restricted to accessing known good DNS servers.  This is (or at least should be) a common practice in enterprise networks where firewalls are in place.

DHS knows this well and facilitates this through the Trusted Internet Connection (TIC) initiative.  However, implementing this restriction on the Internet would be by some to be in conflict with the principles of Net Neutrality and is not in practice.  The DNS case is perhaps a good example since controlling accessible DNS services would not restrict access to any content on the Internet.

I am not suggesting one way over another.  The objective here is simply to raise some awareness that we are making (perhaps unconscious) choices between the potential freedom of going outside our ISP for DNS services and the security of knowing our DNS services are honest.

Incidentally, if you believe DNSSEC can help protect against a threat such as DNSChanger, consider this:

Even if all of the ISPs on the Internet implement DNSSEC validation, this does nothing if the attackers point users away from valid DNS servers and implements their own DNS servers that operate under the criminals’ rules.  The attackers/criminals will choose to pass whatever lies are convenient to their objective.

It is common practice for malware to modify various settings on the computer.  This includes blocking antivirus checks, blocking software updates, and adding key loggers, modifying “host” table settings.  So long as the computer is compromised, there is nothing that can be done to assure the DNSSEC validation will not also be subverted.

Do you think we are paying enough attention to the choices we make between security and freedom on the Internet?
What other choices like this are we overlooking?
Do you have some of your own security concerns with DNS security?
We look forward to your comments.
Brian Rexroad Executive Director of Threat Analytics AT&T About Brian