TY - JOUR
T1 - On The Vulnerability of Anti-Malware Solutions to DNS Attacks
AU - Nadler, Asaf
AU - Bitton, Ron
AU - Brodt, Oleg
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2022 Elsevier Ltd
PY - 2022/5/1
Y1 - 2022/5/1
N2 - Anti-malware agents typically communicate with their remote services to share information about suspicious files. These remote services use their up-to-date information and global context (view) to help classify the files and instruct their agents to take a predetermined action(e.g., delete or quarantine). In this study, we provide a security analysis of a specific form of communication between anti-malware agent sand their services, which takes place entirely over the insecure DNS protocol. These services, which we denote DNS anti-malware list (DNSAML)services, affect the classification of files scanned by anti-malware agents, therefore potentially putting their consumers at risk due to known integrity and confidentiality flaws of the DNS protocol. Byan alyzing a large-scale DNS traffic dataset made available to the authors by a well-known CDN provider, we identify anti-malware solutions that seem to make use of DNSAML services. We found that these solutions, deployed on almost three million machines worldwide, exchange hundreds of millions of DNS requests daily. These requests are carrying sensitive file scan information, oftentimes - as we demonstrate - without any additional safeguards to compensate for the insecurities of the DNS protocol. As a result, these anti-malware solutions that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine. We showcase three attacks applicable to at least three anti-malware solutions that could result in the disclosure of sensitive information and improper behavior of the anti-malware agent, such as ignoring detected threats. Finally, we propose and review a set of countermeasures for anti-malware solution providers to prevent the attacks stemming from the use of DNSAML services.
AB - Anti-malware agents typically communicate with their remote services to share information about suspicious files. These remote services use their up-to-date information and global context (view) to help classify the files and instruct their agents to take a predetermined action(e.g., delete or quarantine). In this study, we provide a security analysis of a specific form of communication between anti-malware agent sand their services, which takes place entirely over the insecure DNS protocol. These services, which we denote DNS anti-malware list (DNSAML)services, affect the classification of files scanned by anti-malware agents, therefore potentially putting their consumers at risk due to known integrity and confidentiality flaws of the DNS protocol. Byan alyzing a large-scale DNS traffic dataset made available to the authors by a well-known CDN provider, we identify anti-malware solutions that seem to make use of DNSAML services. We found that these solutions, deployed on almost three million machines worldwide, exchange hundreds of millions of DNS requests daily. These requests are carrying sensitive file scan information, oftentimes - as we demonstrate - without any additional safeguards to compensate for the insecurities of the DNS protocol. As a result, these anti-malware solutions that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine. We showcase three attacks applicable to at least three anti-malware solutions that could result in the disclosure of sensitive information and improper behavior of the anti-malware agent, such as ignoring detected threats. Finally, we propose and review a set of countermeasures for anti-malware solution providers to prevent the attacks stemming from the use of DNSAML services.
KW - Anti-malware
KW - DNS
KW - Information disclosure
UR - http://www.scopus.com/inward/record.url?scp=85126109420&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2022.102687
DO - 10.1016/j.cose.2022.102687
M3 - Article
SN - 0167-4048
VL - 116
JO - Computers and Security
JF - Computers and Security
M1 - 102687
ER -