Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware

Tenable’s Research team recently shipped a variety of Nessus plugins and Passive Vulnerability Scanner (PVS) PASL scripts that audit and detect the DNS servers in use on (and off) your network. These plugins and scripts are leveraged to find systems affected by DNSChanger malware, but they can also be used for a broader audit of DNS servers actively in use. This blog entry describes the new plugins and PASL scripts and how they can be used to audit active DNS servers in use.

The following new Nessus plugins and PVS PASL scripts have been made available:

Nessus:
58181 – Windows DNS Server Enumeration
58180 – Mac OS X DNS Server Enumeration
58182 – DNSChanger Malware Detection

PVS:
07053 – DNS Client/Server Logging
07055 – DNSChanger Malware Detection

The Nessus checks require credentials to look at the configured DNS servers present on the audited Windows or Mac OS X system. Below is a sample Nessus 5 screenshot of an audited Mac OS X system configured with one DNS server:

1-osx-dns

Below is a screenshot of a SecurityCenter system managing a PVS sensor that has found four DNS servers in use for a system at 192.168.1.61:

2-pvs-dns-servers

Information on the DNSChanger Trojan has been widely circulated by the FBI, F-Secure, Internet Identity, and Symantec. Infected computers are modified to make use of DNS servers operating at the IP addresses 85.255.112.36 and 85.255.112.41. The hostile DNS servers have been ordered by a US judge to be kept online until July 2012.

Gathering DNS server usage across your organization can be very useful to identify many types of authorized and unauthorized behavior, such as the following:

  1. Identify poorly-configured DNS settings.
  2. Identify sections of the network with weak outbound port 53/DNS controls.
  3. Identify DNS servers queried by software, mobile applications, and even malicious programs.

Within SecurityCenter, the active and passive plugins/scripts can be used for dynamic asset list tagging. For example, combining a PVS script filter of 7053 and content of "216.136.95.2" (a Time Warner DNS server) would identify every node on a network that leveraged this, as seen in the screenshot below:

3-sc4-dynamic

Finding this type of data with Nessus is highly accurate and requires an account on a Windows or OS X system. PVS can also find this type of data in a unique manner because it audits every observed DNS query. This includes DNS lookups for systems that are hard to audit, such as printers and iPads, as well as DNS lookups for malicious software embedded in your infrastructure. 

Real-time logs are also a byproduct of the PVS passive DNS monitoring. These logs can be sent to SIMs and log analysis tools such as Tenable’s Log Correlation Engine (LCE). Below is a screenshot of a full day's trace of real-time DNS lookups, DNS lookup failures, and even internal mDNS lookups for a server farm on a large university campus as rendered by an LCE:

4-dns-lce

These logs from the PVS can be used for real-time alerting and to enhance forensic analysis by showing when systems are compromised. Before these plugins/scripts were available, I had scheduled reports and alerts running on the LCE to look for any DNS activity involving the IPs associated with DNSChanger.

When systems are infected with malicious software and they point to DNS servers outside of your network, it is invaluable to have an independent log of DNS activity such as one produced by the PVS.

DNS configuration auditing often goes unnoticed because if it works at all, no one complains, and as soon as it doesn’t work, it gets fixed. The security of your network relies on ensuring that it is configured with the right DNS servers.

We’ve blogged previously about passive network monitoring and scanning the network for infected systems. Below are some additional links for reference:

 

 

 


 

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.