Op-Ed: Domain Name Server Changer malware — Big mistake by hackers
Many people will have heard of the Domain Name Server Changer (DNSC) malware problem, which re-routs computer internet connections using rogue DNS servers. The irony is that this methodology could be a big game changer against malware.
The FBI has laid charges
against various individuals and is now Tweeting for information from the public regarding any evidence people may have against suspects in the DNSC case.
Note: The same web page requesting information from the public has links to support services for people who may have been infected
or want to check that they’re not infected. There’s also a self-help PDF page
which goes step by step through the self-diagnosis process. There’s also information about how to check your router.
The DNSC problem is a lot bigger than you’d guess from reading the net news. It got a mention in some of the bigger newspapers, then disappeared from view. It’s a global problem, and the DNSC software approach is a step up from the usual one trick wonder malware. On the face of it, this methodology seems to be a quantum jump in sophistication for hackers.
If you’ve ever seen a fake banking or commerce site, you’ll know how risky getting rerouted can be. Some years ago, PayPal published pictures of a PayPal lookalike site as part of a security awareness campaign. The site looked quite authentic, and if you were working at your usual internet speeds, you might not even notice there was anything unusual about the site until you’d logged in- and given the site operators your password.
The DNSC servers systematize this process. Wherever you’re sent by one of this network of servers will definitely not be a bona fide site. This is basically mass production of multiple methods of malware infection. In addition to rerouting, the DNSC also disables security software updates and makes computers vulnerable to other types of malware infection.
It looks as though law enforcement got lucky as well as reacting swiftly. US businesses and even NASA were also affected, but there have been no reports of major big hits. The FBI and ISC reaction was apparently quick enough and effective enough to prevent a global plague of DNS related issues, which could have been almost unmanageable.
The big mistake- DNSC an own goal for malware operators?
It’s quite likely that the DNSC will become a bad, perhaps even fatal, move for malware operators overall. There’s another side to this “brilliance”, and it’s dumb as a brick. In server territory, the game changes, drastically, in favor of the good guys. Servers can act as effective filters and traps. It’s not even theoretically hard to multiply-encrypt and compartmentalize DNS addresses and build in verifiers and/or dummy information, etc. Those basic approaches can also work on computers and other devices, like phones and pads.
As you may or may not be aware, banks use the SSL (secure sockets layer) system, which scrambles and separates information before reassembling it at its destination. Any digital ID or information can be automatically and effectively transformed into something that’s far more trouble than it’s worth to try and crack. These DNS addresses are arbitrary third party addresses. There are no privacy or other issues. So there’s no real obstacle to making the DNS servers and cloud servers very hard targets.
Similar methods could make whole classes of malware obsolete. Malware can only do what it does because it can read systems. You can play havoc with these methods with ease. If you encrypt a system, and you don’t have to do a lot, you can protect yourself from incoming materials and be unreadable. You could simply encrypt parts of your OS to be unreadable to anyone who doesn’t have the right tools, and hide the tools so the malware doesn’t even know what system you’re using. Even a remote third party system applying this sort of security could be effectively invisible all the way to terminal level.
A very simple example- Say you want to exchange a few billion kb with someone. For security purposes, there are perhaps a few million otherwise innocuous normal characters at certain places in that information. Both computers will refuse to accept information unless those characters are there, and in the right places. You can set up a system like that in seconds. You’d also know when someone’s using the wrong tools to try to read your information. That’s the killer. Fails would be virtual DNA level evidence of attempts. You could identify and isolate the attackers, because even false addresses and botnets have to access through servers and go through the fundamental protocols, which leave trails.
(Most people don’t know that the supposedly advanced, scary botnet attack looks very different on an admin board. You can see the IPs of attackers. With additional security you’d also be able to document the attack and get a good picture of the malware, in relatively safe circumstances.)
No malware on Earth could positively identify the security characters or their placement requirements or even the basic rules for placement of the characters. Nor would it be worth trying; it’d take too long, and there’s no real likelihood of finding all the characters. It could take months, simply to fail at the end. If malware operators want number crunching, give them number crunching, by the terabyte. They’d be out of business in a week, and have a much clearer appreciation of the phrase “the biter bit” as well as what real mathematics can do when it tries.
I’ve hated malware and the people that create it ever since I was deliberately hit with it on an employment site where I was doing forum work and admin a few years ago. These pricks deliberately exposed unemployed and in some cases desperate people to malware, and a lot of it. I hope these ideas are some sort of payback, jerks.