DNS Changer malware highlights need for scalable forensic response

Anthony Di Bello

Given the fact that DNS Changer, 5-year-old malware designed to redirect traffic from infected users, still infects an estimated 58 of the Fortune 500 and at least 2 government agencies – it’s safe to say IT and IS staff cannot entrust users to oversee the security of their corporate/government issued devices. While the warnings have been loud and clear, and there are detection and cleanup tools available, it’s no fault of their own — most employees aren’t paid to spend their day ensuring that their computer is free of malware.

Unfortunately, for threats like DNS Changer, the detection and cleanup tools require physical access to any given machine in order to address the problem, and in any enterprise spanning multiple locations, or with remote employees, this poses a challenge for the information security team. 

Fortunately, there are tools and just enough publically available information to overcome this challenge. As mentioned above, the DNS Changer malware modifies device DNS tables to redirect the computer to fraudulent DNS servers. As such, the FBI has been kind enough to provide the ranges for fraudulent IP address that are being injected into the DNS tables of infected computers: through through through through through through
Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

This information, coupled with cyber response technology like EnCase Cybersecurity, allow information security teams to rapidly audit the DNS tables on devices across the enterprise, exposing any device containing reference to a fraudulent DNS entry for a rapid, definitive understanding of any devices infected with the DNS Changer malware. At which point, the information security team can take proper steps to remediate the malware.

A view of a device DNS table as seen by EnCase with IP addresses associated with various DNS entries called out. An audit of these tables network-wide with EnCase Cybersecurity can be used to expose the effects of DNS Changer via known fraudulent DNS table entries.

While modern threats such as DNS Changer have learned to evade traditional signature-based defenses, these threats still leave traces of their effect somewhere on the target device whether on the hard disk, or in memory. Forensic response technologies like EnCase Cybersecurity are designed to rapidly audit the enterprise for these artifacts, enabling security teams with a full and accurate understanding of the scope of any incident, as well as the information to empower complete remediation of those threats.

No comments :

Post a Comment