One of the key strategies in modern warfare is disrupting the enemy’s command & control infrastructure. It can also be an effective strategy in the ongoing war against malware. One of the first things that usually happens when a PC is infected with malware is that the malware “phones home” to a command & control server to check in and get further instructions – which may be to take some specific action such as downloading additional malware or encrypting all the files on your computer, or to simply go to sleep until further notice. If we can prevent that communication from taking place, we have a shot at stopping the infection in its tracks. But how can we do that?
Nearly every communication transaction that takes place across the Internet involves, at some point, a DNS query. For the non-technical in the audience, DNS, which stands for “Domain Name System,” is the naming system that matches names, like www.sidherron.com, to IP addresses, like 220.127.116.11, which the routers in the Internet need to know in order to properly route the traffic. Part of the network configuration of your computer, and every other computer that’s connected to the Internet, is a setting that tells the computer where it should send its DNS queries. Corporate networks will generally have one or more DNS servers as part of the network. Individual home users, in most cases, simply use a DNS server provided by their Internet Service Provider. When you, dear reader, typed www.sidherron.com into your browser, or clicked on some other link that brought you here, your computer sent a DNS query to a DNS server. If that DNS server didn’t know what IP address corresponded to this Web site, it forwarded the request on to another server in the hierarchy of DNS servers, until ultimately, several fractions of a second later, the answer came back that if you want to talk to www.sidherron.com, you need to send your data packets to 18.104.22.168.
The communication between a piece of malware and a command & control server also, nearly always, involves a DNS query. Moreover, if one of your employees clicks on a link in a “phishing” email message that leads to a malicious destination, it will nearly always generate a DNS query. And if someone is tricked into clicking on a “malvertising” link (which have now, believe it or not, surpassed porn sites as a malware infection vector), it will nearly always generate a DNS query.
You’re probably way ahead of me by now, and thinking, “Wait a minute, if we can block that DNS query, we can prevent the infection from taking place, or, if the initial infection has already taken place, we have a chance of stopping it in its tracks.” And that’s exactly what the OpenDNS service is all about.
OpenDNS, which is now a part of Cisco, maintains a global network of DNS servers that process over 80 billion DNS queries every day. Using a variety of innovative techniques, they maintain a database of malicious destinations. By simply directing DNS queries to OpenDNS, we can block as much as 70% – 80% of the attempts to contact malicious destinations. And while we’re at it, we can create policies that will also block traffic to sites with objectionable content (e.g., porn, violence, racism, etc.), and give businesses a dashboard that will reveal exactly where their users are going (or attempting to go) on the Internet. There is also a roaming client for Windows and Mac OS X devices that will protect them when they’re not attached to the corporate network.
The OpenDNS subscription service is surprisingly affordable – particularly when you compare it to the cost of recovering from a malware attack. I encourage you to check it out.
One Thought to “Beating Malware by Disrupting Command and Control”
[…] Finally, consider the OpenDNS service we wrote about in our recent blog post entitled “Beating Malware by Disrupting Command & Control.” […]