Jump to content

D N S Changer And Other Modern Malware Threats


Recommended Posts

Today's malware purveyor bears little resemblance to the outcast-teenage-loner caricature popular in days past. Last November the FBI's Operation Ghost Click led to the arrest of six Estonians charged with promulgating the DNSChanger malware, which the FBI claims allowed the gang to steal $14 million by manipulating the servers of online advertisers. Unfortunately, DNSChanger is estimated to have infected 100 million computers worldwide and 500,000 in the U.S., many of which haven't yet been disinfected.



Related stories

CNET blogger Topher Kessler describes in the MacFixIt blog how the Trojan horse works. Yes, Macs are as susceptible to DNSChanger as PCs are: it's an equal-opportunity infecter.


Shutting down the crooks' rogue DNS servers would have left people using infected PCs without an Internet connection, so the FBI arranged to legitimize the bad servers temporarily. The servers were initially set to go offline on March 6, but many systems haven't yet been disinfected.


Earlier this month, the deadline for pulling the plug on the servers was extended to July 9, as Topher explained in a March 7 MacFixIt post.


Dan Goodin explains in his Ars Technica blog how ISPs are responding to ensure their customers don't lose their Internet service. But ISPs can't do it alone--as the saying (sort of) goes, it takes a virtual village.


Putting malware promulgators out of business requires a concerted effort

The reality of modern computing is that security is every user's business. As much as we would like to make our ISPs and software vendors responsible for keeping our private information and bank accounts safe, there's no way to prevent computer crime from a distance without seriously hampering use of the machines.


Anyone who operates an Internet-connected computer must take these three precautions: use a firewall, scan for malware, and keep the machine's software up-to-date. (See the related-article links above for more information on each of these subjects.) When you follow these three steps, you protect much more than just your own computer--you help safeguard everyone else's as well because infected PCs are often used to spread viruses, spam, and other potentially damaging software.


Need more reasons to do your part? A bill introduced recently in the U.S. Senate would require the Department of Homeland Security to verify that "critical infrastructure" is protected against "cyber attacks," as CNET's Elinor Mills reported last month in her InSecurity Blog.


The Cybersecurity Act of 2012 is criticized by privacy advocates because it may allow private entities to snoop on communications, which a spokesperson for the Electronic Frontier Foundation quoted by Elinor in a subsequent InSecurity Complex post claims constitutes "warrantless wiretapping."


Conversely, Federal Communications Commission Chairman Julius Genachowski is promoting voluntary standards for ISPs working with government agencies and security experts to battle computer crime, as CNET's Marguerite Reardon explains in a post from last month on the Politics and Law blog.


It's easy to see why ISPs would favor the voluntary approach, but considering the fast pace of technological change and the snail's pace of government action, a non-regulatory approach to securing the Internet backbone may be in everyone's interest.


Can the Internet be switched off?

There are some people who claim the Internet's distributed architecture makes it unsinkable. You don't need the upcoming 100-year anniversary of the Titanic's demise in the North Atlantic to be reminded of the folly of indestructibility claims.


The vigilante group Anonymous is reportedly planning to shut down the Internet on March 31 to protest the Stop Online Privacy Act. Even without the proximity to April Fools' Day it's difficult to give such claims much credence.


But this kind of cyber-saber-rattling is worth considering from a preventive as well as an academic perspective. What would it take to collapse the Internet? Ars Technica's Sean Gallagher describes the DNS amplification technique that Anonymous is reportedly working on.


Gallagher's post links to a paper (PDF) presented at the 2006 DefCon security conference by Baylor University researcher Randal Vaughn and security consultant Gadi Evron that describes how DNS amplification was used in attacks on ISP networks as far back as 2002.


What you can do to help prevent online security breaches

The more we rely on the Internet, the greater the potential damage from cyber attacks. Just as law enforcement agencies depend on the cooperation of citizens and businesses to do their job, the organizations charged with securing the Internet need our help, too.


To determine whether your computer is infected with the DNSChanger Trojan horse, browse to DNSChanger Working Group's Cleanup page and select one of the links listed. If the test indicates your machine is infected, follow one of the links on the same page below the table to download a free program that removes the bug.


03_19_12_DNSChanger1_610x390.jpg The DNSChanger Working Group site provides links to servers that indicate whether your PC is infected, as well as to free programs that remove the infection if necessary.


(Credit: screenshot by Dennis O'Reilly/CNET) Alternatively, SecureMac offers the free, aptly named DNSChanger Removal Tool for the Mac. If you prefer the manual approach, the FBI provides step-by-step instructions (PDF) for determining whether a PC or Mac is using a compromised DNS server.


Instead of one attack on many machines, many attacks on one big target

There's one new security threat that individuals can't do much to prevent. Straight out of a spy novel, advanced persistent threats target a specific company, facility, or government agency with different types of attacks on the organization's internal network. Elinor Mills explains in a post earlier this month in her InSecurity Complex blog that even security firms such as RSA and Verisign have been victimized by such attacks.


Compounding the problem is the difficulty organizations have in detecting such persistent attacks. According to the security firm Mandiant's report entitled M-Trends 2012: An Evolving Threat, 94 percent of persistent-threat victims find out about the attacks from outside sources.


Even more startling, the median time between the first indication of a network being compromised and detection of the breach is 416 days, according to the report. Mandiant's research also indicates that the backdoor mechanisms persistent threats use are getting more sophisticated.


(Registration required on the Mandiant site to download a copy of the complete report.)


Originally posted at How To, By: Dennis O'Reilly



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...