Virtualization and DNS Monitoring: Strategies for Catching Cyber-Criminals

Hackers are getting more sophisticated, and the threat posed by a network breach and the potential for damage is graver than it has ever been before. Attacks against networks and theft of sensitive information used to be the playground of a relatively few technically savvy pranksters. Now it has evolved into a highly lucrative and robust business model.

The current threat model is largely driven by social engineering in which victims are tricked into clicking a link and filling in sensitive personal information or downloading a piece of software that infects their computer with a piece of software that is controlled by a remote hacker.

Some studies show that more than 10 million Americans were victimized by identity theft in the space of a year, with estimated losses exceeding $50 billion, Steven M. Martinez, deputy assistant director of the FBI, noted in testimony before Congress. That was in 2004. That number is undoubtedly higher today.

So you're a government security manager charged with maintaining the security of your agency's or department's network and preserving the integrity and privacy of the large amount of sensitive data that is sent over it. What methods do you use to stay ahead in the high-stakes "arms race" that involves malware attacks and network defense? Domain name server (DNS) traffic monitoring? Virtualization?

What use can these two technologies be in protecting against and detecting malware? And how can law enforcement use DNS traffic monitoring to get proactive about shutting down cyber-criminals' botnet infrastructure?

Viruses running in virtual environments are not new. Antivirus software companies currently use virtualization to test malware behavior. And according to Tom Liston, a senior security consultant with Intelguardians, virtual machines are designed for general computing and are not necessarily built with security in mind.

In the fall of 2005, the U.S. Department of Homeland Security hired Intelguardians to find out if malware could detect it was running in a virtual machine and escape to execute arbitrary code on the host machine. As a result of that research, Intelguardians discovered that between 5 percent and 10 percent of viruses in the wild can detect virtual machines, and this number is increasing, Liston said.

That's bad, Liston said, because the malware can then change its behavior if it detects it is running on a virtual machine. Based on what the software detects, it could be programmed to do something different than what it would do had it gone undetected.

Liston said Intelguardians' research from 2007 found that malware could escape the containment of a guest account and execute arbitrary code on the host computer. The researchers found the malware could transfer from one account to another. Liston said he hasn't seen this in the wild yet, giving researchers a little time to harden virtual machines against such malware capability.

Mitigating Malware on Virtual Machines

Liston said IT personnel charged with computer security should not trust that guest accounts will remain isolated from their host accounts in virtual environments. Consequently he advised them to isolate virtualization test machines from production systems and harden virtual machines against detection.

DNS Monitoring: Law Enforcement's Early Warning

The Internet allows criminals to operate stealthily and from anywhere. Current data on botnets, networks of computers hijacked to do a criminal's bidding without the owner's knowledge, is still a viable way to perpetrate computer crime. And a single computer is usually a member of several botnets, David Dagon, a security researcher with Georgia Tech, noted. Two of the uses of these networks are to send spam and perpetrate clickfraud. As a result, advertisers are transitioning to measuring an ad's effectiveness by the transaction volume generated by clicks, instead of merely measuring click-through rates, Dagon noted.