With all the press about the Flame malware the last couple of weeks I took yet another look at my own security precautions. This involved a bunch of ad-hoc testing on my part, and I’ve come up with a couple of simple recommendations that could materially improve most people’s information security.
Most modern malware shares two characteristics. First, infected websites (many of which are completely legitimate) are the primary means by which malware is distributed. Second, most malware is aimed at stealing data and thus must communicate that stolen data out to a server somewhere. In the case of so-called Bots, the malware also communicates with Command-and-Control servers. If you can block access to malware distributing websites, and block communications between malware and servers out on the Internet, then you’re better protected. In fact, the biggest problem with both these approaches is that they can be a bit like locking the barn doors after the animals have escaped. What I’ll try to do with this post is explain a couple of things that will increase the odds that you get the doors closed in time.
I’m going to talk about URL Filtering and use of an enhanced DNS. Let’s start with URL filtering, although honestly I’m more excited about what you can do with DNS these days. URL filtering (for security) involves checking a URL against a database of sites known to be malicious and blocking access to them. The major browsers have built-in URL Filtering facilities, SmartScreen for Internet Explorer and Google Safe Browsing for the others. While these clearly help, I’ve found that there are other URL filtering tools that seem better. Personally I use Web of Trust (in addition to the built-in browser facilities), which in my testing of URLs contained within SPAM email is far more likely to flag dangerous websites than any other product (except perhaps one). It is free. In doing my research the commercial product that seems to do the best job is Trend Micro. I regularly send URL’s off to Virustotal for testing and get back results that show Trend Micro as the only service to have flagged a (clearly bad) site. So if you want to purchase a security suite for your PCs, Trend Micro has at least one advantage! But for the rest of us it is worthwhile installing Web of Trust’s Browser add-on. Not only will this warn before attempts to access a malicious page, it will augment search results with icons that indicate the trustworthiness of each link. And if you do find a page that you feel is malicious, with a few clicks you can let others know. As an aside, Facebook’s link policy explicitly calls out having a poor Web of Trust rating as their standard for what constitutes a bad link. So they must think it is a pretty good link reputation service!
Of course the problem with Web of Trust is that it is a browser add-on, which means two things. The first is that it only works with browsers that allow add-ons! So it can’t help you with your iPhone/iPad’s Safari browser, or your Windows Phone, or the Metro version of IE in Windows 8, or browser modes (such as Private mode in IE) that disable add-ons, or guest PCs that you allow on your network, or…. The second problem is that it does nothing to block the outgoing communications from malware to data collection or command and control servers. For this you need help from your DNS (Domain Name Service).
First a bit of history. Originally malware would open up outgoing connections from your PC for their communications. This problem was addressed by the addition of Firewalls that block generalized outgoing communications. Of course you can’t prevent outgoing communications over “Port 80”, the communications port that is used for web browsing. And so most software, legitimate or not, now communicates by creating a tunnel using Port 80. Legitimate software does this because firewall management is just too difficult for consumers and too bureaucratic inside enterprises. Malware does it because, well what other choice does it have? So these days Firewalls are necessary but not sufficient to protect against malicious outgoing communications.
The Domain Name Service (DNS) is the Internet’s “Phone Book”, translating names such as www.thecompanyIwant.com into an Internet Protocol (IP) address such as 192.168.2.100 that is needed to actually talk to a computer on the Internet. Purists believe that is all that DNS should do, but others recognize that this translation facility opens up a number of opportunities for enhancement. One such enhancement would be to mark malicious domains (hypothetically www.thecompanyIwant.com in this case) in the DNS and refuse to hand out their real IP addresses. This has two benefits. It prevents a user from browsing (or following a link to) the URL/domain, and it prevents malware from successfully communicating outward by blocking its attempt to find the server it wants to talk to. Let’s go back to Flame for a moment. As soon as researchers identified the domains that Flame was contacting for Command and Control the enhanced DNS services like OpenDNS blocked that communications effectively neutering Flame (unless it has some backdoor communications mechanism that researchers have yet to identify). And so a great way to add another layer of protection to your computer or network is to switch from your ISP’s DNS server to using one of the enhanced DNS servers.
I already mentioned OpenDNS, but it is no longer my first choice. I originally switched to using OpenDNS years ago when my ISP’s DNS servers were having problems. I stuck with them because they have some anti-malware features built-in. In particular they have blocked some of the major botnets, and did quickly block Flame’s Command and Control server access. OpenDNS also has more extensive Malware-blocking features, but only in their Enterprise offering. Neither the free OpenDNS service, nor the paid service that a home user or small business might buy, includes their full malware-blocking features. Fortunately there is a really powerful malware-blocking DNS available for free, and from a surprising source.
Symantec is well-known as a top security company, but they aren’t known for free or lightweight offerings. And yet they’ve created their own free (for home use, and by definition lightweight) DNS offering under the name Norton Connectsafe. This uses the same database of malicious domains as their enterprise URL/Domain filtering products, making it one of the most extensive in the industry. Switch from using your ISP’s DNS servers to using Norton Connectsafe’s DNS servers and you’ve made a major improvement in blocking malicious websites and malware communications. You also have the benefit of multiple levels of URL protection since you’ll still be getting URL Filtering from SmartScreen/Safe Browsing as well as the Norton Connectsafe protection. And if you are really paranoid then you can use Web of Trust (where possible) as well!
The main problem with Norton Connectsafe is that you have to configure your router or individual computers to use it instead of your ISP’s DNS servers. There are instructions on the Norton Connectsafe website, but if you are uncomfortable with this ask a home networking savvy friend for help. It will be well worth the effort.