Given the fact that DNS Changer, 5-year-old malware designed
to redirect traffic from infected users, still infects an estimated 58 of the Fortune 500 and at least 2 government agencies – it’s safe to say
IT and IS staff cannot entrust users to oversee the security of their
corporate/government issued devices. While the warnings
have been loud
and clear, and there are detection and cleanup tools available, it’s no fault of
their own — most employees aren’t paid to spend their day ensuring that their
computer is free of malware.
Unfortunately, for threats like DNS Changer, the detection
and cleanup tools require physical access to any given machine in order to
address the problem, and in any enterprise spanning multiple locations, or with
remote employees, this poses a challenge for the information security
team.
Fortunately, there are tools and just enough publically available
information to overcome this challenge. As mentioned above, the DNS Changer
malware modifies device DNS tables to redirect the computer to fraudulent DNS
servers. As such, the FBI has been kind enough to provide the ranges for fraudulent
IP address that are being injected into the DNS tables of infected computers:
85.255.112.0 through 85.255.127.255
|
67.210.0.0 through
67.210.15.255
|
93.188.160.0 through 93.188.167.255
|
77.67.83.0 through
77.67.83.255
|
213.109.64.0 through 213.109.79.255
|
64.28.176.0 through 64.28.191.255
|
This information, coupled with cyber response technology like
EnCase Cybersecurity, allow information security teams to rapidly audit the DNS
tables on devices across the enterprise, exposing any device containing
reference to a fraudulent DNS entry for a rapid, definitive understanding of
any devices infected with the DNS Changer malware. At which point, the
information security team can take proper steps to remediate the malware.
 |
A view of a device DNS table as seen by EnCase
with IP addresses associated with various DNS entries called out. An audit of
these tables network-wide with EnCase Cybersecurity can be used to expose the
effects of DNS Changer via known fraudulent DNS table entries.
|
While modern threats such as DNS Changer have learned to evade traditional signature-based defenses, these threats still leave traces of their effect somewhere on the target device whether on the hard disk, or in memory. Forensic response technologies like EnCase Cybersecurity are designed to rapidly audit the enterprise for these artifacts, enabling security teams with a full and accurate understanding of the scope of any incident, as well as the information to empower complete remediation of those threats.
No comments :
Post a Comment