Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware

Tenable’s Research team recently shipped a variety of Nessus plugins and Passive Vulnerability Scanner (PVS) PASL scripts that audit and detect the DNS servers in use on (and off) your network. These plugins and scripts are leveraged to find systems affected by DNSChanger malware, but they can also be used for a broader audit of DNS servers actively in use. This blog entry describes the new plugins and PASL scripts and how they can be used to audit active DNS servers in use.

The following new Nessus plugins and PVS PASL scripts have been made available:

Nessus:
58181 – Windows DNS Server Enumeration
58180 – Mac OS X DNS Server Enumeration
58182 – DNSChanger Malware Detection

PVS:
07053 – DNS Client/Server Logging
07055 – DNSChanger Malware Detection

The Nessus checks require credentials to look at the configured DNS servers present on the audited Windows or Mac OS X system. Below is a sample Nessus 5 screenshot of an audited Mac OS X system configured with one DNS server:

Below is a screenshot of a SecurityCenter system managing a PVS sensor that has found four DNS servers in use for a system at 192.168.1.61:

Information on the DNSChanger Trojan has been widely circulated by the FBI, F-Secure, Internet Identity, and Symantec. Infected computers are modified to make use of DNS servers operating at the IP addresses 85.255.112.36 and 85.255.112.41. The hostile DNS servers have been ordered by a US judge to be kept online until July 2012.

Gathering DNS server usage across your organization can be very useful to identify many types of authorized and unauthorized behavior, such as the following:

1. Identify poorly-configured DNS settings.
2. Identify sections of the network with weak outbound port 53/DNS controls.
3. Identify DNS servers queried by software, mobile applications, and even malicious programs.

Within SecurityCenter, the active and passive plugins/scripts can be used for dynamic asset list tagging. For example, combining a PVS script filter of 7053 and content of "216.136.95.2" (a Time Warner DNS server) would identify every node on a network that leveraged this, as seen in the screenshot below:

Finding this type of data with Nessus is highly accurate and requires an account on a Windows or OS X system. PVS can also find this type of data in a unique manner because it audits every observed DNS query. This includes DNS lookups for systems that are hard to audit, such as printers and iPads, as well as DNS lookups for malicious software embedded in your infrastructure. 

Real-time logs are also a byproduct of the PVS passive DNS monitoring. These logs can be sent to SIMs and log analysis tools such as Tenable’s Log Correlation Engine (LCE). Below is a screenshot of a full day's trace of real-time DNS lookups, DNS lookup failures, and even internal mDNS lookups for a server farm on a large university campus as rendered by an LCE:

These logs from the PVS can be used for real-time alerting and to enhance forensic analysis by showing when systems are compromised. Before these plugins/scripts were available, I had scheduled reports and alerts running on the LCE to look for any DNS activity involving the IPs associated with DNSChanger.

When systems are infected with malicious software and they point to DNS servers outside of your network, it is invaluable to have an independent log of DNS activity such as one produced by the PVS.

DNS configuration auditing often goes unnoticed because if it works at all, no one complains, and as soon as it doesn’t work, it gets fixed. The security of your network relies on ensuring that it is configured with the right DNS servers.

We’ve blogged previously about passive network monitoring and scanning the network for infected systems. Below are some additional links for reference:

• Nessus and the Fight Against Viruses
• Converting Packets to Syslog
• Detecting Malware Distribution with Nessus