Virtualization and DNS Monitoring: Strategies for Catching Cyber-Criminals

Hackable virtual machines, clever malware, shifty cyber-criminals and other challenges faced by law enforcement online.

by / November 7, 2008

Hackers are getting more sophisticated, and the threat posed by a network breach and the potential for damage is graver than it has ever been before. Attacks against networks and theft of sensitive information used to be the playground of a relatively few technically savvy pranksters. Now it has evolved into a highly lucrative and robust business model.

The current threat model is largely driven by social engineering in which victims are tricked into clicking a link and filling in sensitive personal information or downloading a piece of software that infects their computer with a piece of software that is controlled by a remote hacker.

Some studies show that more than 10 million Americans were victimized by identity theft in the space of a year, with estimated losses exceeding $50 billion, Steven M. Martinez, deputy assistant director of the FBI, noted in testimony before Congress. That was in 2004. That number is undoubtedly higher today.

So you're a government security manager charged with maintaining the security of your agency's or department's network and preserving the integrity and privacy of the large amount of sensitive data that is sent over it. What methods do you use to stay ahead in the high-stakes "arms race" that involves malware attacks and network defense? Domain name server (DNS) traffic monitoring? Virtualization?

What use can these two technologies be in protecting against and detecting malware? And how can law enforcement use DNS traffic monitoring to get proactive about shutting down cyber-criminals' botnet infrastructure?

Viruses running in virtual environments are not new. Antivirus software companies currently use virtualization to test malware behavior. And according to Tom Liston, a senior security consultant with Intelguardians, virtual machines are designed for general computing and are not necessarily built with security in mind.

In the fall of 2005, the U.S. Department of Homeland Security hired Intelguardians to find out if malware could detect it was running in a virtual machine and escape to execute arbitrary code on the host machine. As a result of that research, Intelguardians discovered that between 5 percent and 10 percent of viruses in the wild can detect virtual machines, and this number is increasing, Liston said.

That's bad, Liston said, because the malware can then change its behavior if it detects it is running on a virtual machine. Based on what the software detects, it could be programmed to do something different than what it would do had it gone undetected.

Liston said Intelguardians' research from 2007 found that malware could escape the containment of a guest account and execute arbitrary code on the host computer. The researchers found the malware could transfer from one account to another. Liston said he hasn't seen this in the wild yet, giving researchers a little time to harden virtual machines against such malware capability.

Mitigating Malware on Virtual Machines

Liston said IT personnel charged with computer security should not trust that guest accounts will remain isolated from their host accounts in virtual environments. Consequently he advised them to isolate virtualization test machines from production systems and harden virtual machines against detection.

DNS Monitoring: Law Enforcement's Early Warning

The Internet allows criminals to operate stealthily and from anywhere. Current data on botnets, networks of computers hijacked to do a criminal's bidding without the owner's knowledge, is still a viable way to perpetrate computer crime. And a single computer is usually a member of several botnets, David Dagon, a security researcher with Georgia Tech, noted. Two of the uses of these networks are to send spam and perpetrate clickfraud. As a result, advertisers are transitioning to measuring an ad's effectiveness by the transaction volume generated by clicks, instead of merely measuring click-through rates, Dagon noted.

When a criminal gets wind of an investigator on his tail, he can simply manipulate the domain name system to shift his operations from one host to another and avoid being shut down, Dagon said.

Enter the Security Information Exchange (SIE), a network of Internet sensors that allow researchers, DNS operators and law enforcement officers to monitor, collect and analyze DNS traffic over a secure network. The data from the sensors is collected and delivered in real time over different channels depending on its subcategory.

This allows experts and law enforcement officers to see the DNS changes that occur before a new site goes live or a site changes from one host to another.

Criminal gangs, such as one Russian gang that made $85 million on a single fraudulent antivirus scam, are using fake Web sites promoting antivirus software and fraudulent hurricane relief efforts to spread malware and steal computer users' identities, Dagon said.

Not only can law enforcement officers see when a fraudulent site is about to change hosts, but the SIE allows law enforcement to do a search of the National Oceanic and Atmospheric Administration (NOAA) database of future hurricane names to predict domain names that are likely to spawn future scams, Dagon said. NOAA maintains a list of four years' worth of future hurricane names, he said. Being aware of potential domain names that could be used in the event of a major hurricane allows law enforcement personnel to be very proactive, he noted.

Dagon recommends law enforcement officers monitoring cyber-crime build a list of possible domains that could be used as scams and monitor DNS traffic associated with them. As an example, Dagon noted one list that was compiled in 15 minutes identified 12 phishing sites which were then taken down before they could harm a single victim.