Government Technology

Virtualization and DNS Monitoring: Strategies for Catching Cyber-Criminals

November 7, 2008 By

Hackers are getting more sophisticated, and the threat posed by a network breach and the potential for damage is graver than it has ever been before. Attacks against networks and theft of sensitive information used to be the playground of a relatively few technically savvy pranksters. Now it has evolved into a highly lucrative and robust business model.

The current threat model is largely driven by social engineering in which victims are tricked into clicking a link and filling in sensitive personal information or downloading a piece of software that infects their computer with a piece of software that is controlled by a remote hacker.

Some studies show that more than 10 million Americans were victimized by identity theft in the space of a year, with estimated losses exceeding $50 billion, Steven M. Martinez, deputy assistant director of the FBI, noted in testimony before Congress. That was in 2004. That number is undoubtedly higher today.

So you're a government security manager charged with maintaining the security of your agency's or department's network and preserving the integrity and privacy of the large amount of sensitive data that is sent over it. What methods do you use to stay ahead in the high-stakes "arms race" that involves malware attacks and network defense? Domain name server (DNS) traffic monitoring? Virtualization?

What use can these two technologies be in protecting against and detecting malware? And how can law enforcement use DNS traffic monitoring to get proactive about shutting down cyber-criminals' botnet infrastructure?

Viruses running in virtual environments are not new. Antivirus software companies currently use virtualization to test malware behavior. And according to Tom Liston, a senior security consultant with Intelguardians, virtual machines are designed for general computing and are not necessarily built with security in mind.

In the fall of 2005, the U.S. Department of Homeland Security hired Intelguardians to find out if malware could detect it was running in a virtual machine and escape to execute arbitrary code on the host machine. As a result of that research, Intelguardians discovered that between 5 percent and 10 percent of viruses in the wild can detect virtual machines, and this number is increasing, Liston said.

That's bad, Liston said, because the malware can then change its behavior if it detects it is running on a virtual machine. Based on what the software detects, it could be programmed to do something different than what it would do had it gone undetected.

Liston said Intelguardians' research from 2007 found that malware could escape the containment of a guest account and execute arbitrary code on the host computer. The researchers found the malware could transfer from one account to another. Liston said he hasn't seen this in the wild yet, giving researchers a little time to harden virtual machines against such malware capability.

Mitigating Malware on Virtual Machines

Liston said IT personnel charged with computer security should not trust that guest accounts will remain isolated from their host accounts in virtual environments. Consequently he advised them to isolate virtualization test machines from production systems and harden virtual machines against detection.

DNS Monitoring: Law Enforcement's Early Warning

The Internet allows criminals to operate stealthily and from anywhere. Current data on botnets, networks of computers hijacked to do a criminal's bidding without the owner's knowledge, is still a viable way to perpetrate computer crime. And a single computer is usually a member of several botnets, David Dagon, a security researcher with Georgia Tech, noted. Two of the uses of these networks are to send spam and perpetrate clickfraud. As a result, advertisers are transitioning to measuring an ad's effectiveness by the transaction volume generated by clicks, instead of merely measuring click-through rates, Dagon noted.

| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Meeting Constituents Where They Are With Dynamic, Real-Time Mobile Engagement
Leveraging the proven and open Kofax Mobile Capture Platform, organizations can rapidly integrate powerful mobile engagement solutions across the spectrum of mobile image capture, mobile data capture and complete mobile process integration. Kofax differentiates itself by extending capture to mobility, supporting multiple points of constituent engagement. Kofax solutions dynamically orchestrate the user’s mobile experience from a single platform—reducing time to market, improving process perf
Public Safety 2019
Motorola conducted an industry survey on the latest trends in public safety communications. The results provide an outlook of what technology is in store for your agency in the next five years. Download the results to gain this valuable insight.
Improving Emergency Response with Digital Communications
Saginaw County, Mich., increases interoperability, communication and collaboration with a digital voice and data network, as well as modern computer-aided dispatch.
View All

Featured Papers