In an ideal world, critical IT systems should never rely on the security of lesser devices. But in practice, computer networks are complicated and many dependencies exist, some of which are more desirable than others, and eliminating all unwanted dependencies is a difficult task.
Windows member servers – i.e. those joined to an Active Directory (AD) domain – and workstations depend on domain controllers (DCs) to manage certain aspects of their security. This is a necessary dependency where a less important device relies on a more critical system.
Unwanted security dependencies tend to appear on networks unexpectedly. For instance, a PC becomes infected with a virus because the user was tricked into running a malicious executable, and an unpatched vulnerability is exploited. As a result, the Exchange Server is also infected and subsequently shut down by the virus. Though we can argue both the PC and server should have been patched, in this situation the server was unlikely to have been infected if the PC had remained secure.
I was recently reminded about the DNS Changer trojan that first appeared in 2008 and mutated into various different forms. The virus attempts to change a PC’s DNS settings to redirect internet traffic, and failing that, scans the local network in an effort to discover the admin credentials and change the DNS configuration of gateway routers. This is an unfortunate example of where a critical network device becomes dependent on a PC for its security, in turn compromising the integrity of all devices connected to the router. Another variant of the trojan sets up a DHCP server on infected PCs and attempts to intercept DHCP requests on the local network and respond with bogus DNS settings to devices looking for valid DNS configuration.
To change DNS configuration on Windows, administrative rights are required; so a standard user account stops DNS Changer dead in its tracks. Secondly, with application whitelisting in place, DNS Changer wouldn’t be able to run at all, preventing it from scanning the network for vulnerable devices.
While SANS Internet Storm Center issued reactive advice at the time to block traffic to IP addresses known to host the malicious DNS servers, a proactive approach to prevent PCs being infected in the first place is always preferable. Antivirus should also be capable of stopping DNS Changer, but why rely solely on AV to protect your systems, especially with the speed at which malware mutates and sophisticated techniques used to evade detection.
Users often think that what happens on their network-connected PC or other device cannot affect the security of other systems, let alone critical servers and network hardware. But as you’ve read in this blog post, users and management should understand that once a device is connected to the network it does not exist in isolation, and least privilege security and application whitelisting technologies, such as those provided by Avecto, are needed to protect the IT infrastructure at large.
