Using ArcSight to find affected DNS Changer Virus Assets – Deadline 8 March 2012

Technology Requirements: ArcSight ESM Log from any technology which records the Target IPv4 Address, Target Port and events can be Categorized with an Outcome

The goal is to detect assets which could be infected with the DNS Changer virus. The DNS servers have been under FBI control temporarily via a court order. This was to allow infected computers time to get the worm off their systems. But on 8 March, 2012 the court order expires, which could potentially leave millions of infected computers unable to make valid or trusted DNS requests. If you use ArcSight or a similar SIEM here are some ways you can find any possible infected assets before the DNS addresses revert back.

To detect this threat I created four ArcSight resources:

  1. Filters
  2. Case
  3. Active List
  4. Rule

There are six IP ranges listed for suspect DNS traffic. The FBI has had control of the DNS servers after the take down operation and is about the shut the project down. Any computers making DNS requests to these IP ranges should be considered suspect and possibly infected:

Regular Format

ArcSight Format

77.67.83.0-77.67.83.255

77.67.83.0,77.67.83.255

213.109.64.0-213.109.79.255

213.109.64.0,213.109.79.255

85.255.112.0-85.255.127.255

85.255.112.0,85.255.127.255

67.210.0.0-67.210.15.255

67.210.0.0,67.210.15.255

64.28.176.0-64.28.191.255

64.28.176.0,64.28.191.255

93.188.160.0-93.188.167.255

93.188.160.0,93.188.167.255

ArcSight broad filter

The goal is to create a filter of the is to list the suspect Target IPv4 Address and the Target Port which is DNS

event1: ( ( Target Address
Between (77.67.83.0,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.1,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND Target Port = 53 )  


ArcSight communications successful filter

The goal is to create a filter for the suspect Target IPv4 Address and the Target Port which is DNS where the outbound communications were successful

event1 : ( ( Target Address
Between (77.67.83.1,77.67.83.255) OR
Target Address
Between (85.255.112.0,85.255.127.255) OR
Target Address
Between (67.210.0.0,67.210.15.255) OR
Target Address
Between (93.188.160.0,93.188.167.255) OR
Target Address
Between (213.109.64.0,213.109.79.255) OR
Target Address
Between (64.28.176.0,64.28.191.255) ) AND
Target Port = 53 AND
Category Outcome = /Success )

 

ArcSight Active List

The goal of the Active List is to record any assets which are suspected of being infected with the DNS Changer virus by the Attacker IPv4 Address. The Active List attributes are as follows: Name = DNS Changer Assets Optimize Data TTL = 90 Days Data = Fields-based Name = SuspectAssets Type = Address Sub-type = IP Address


 ArcSight Case

The goal of the Case is to record any activity associated with assets which are suspected of being infected with the DNS Changer virus


ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus



Basic aggregation conditions:


Rule Actions:

1. On the first matching event the message in the message field will be “DNS Changer Virus FBI Warning”

2. The name in the name field will list the attacker address

3. The priority is set to 0 because the rule is in testing phase

4. The activity will be added to an existing case called DNS Changer Virus FBI. This will aid in testing and tuning the rule.

5. On every event the attacker IPv4 address is added to an Active List called DNS Changer Assets. This will help pinpoint if it is more of a one-off series of events or if DNS requests are frequent can pinpoint an infected computer.



ArcSight Rule – Any outbound communications

The goal of the Case is to record any activity associated with rules or assets which are suspected of being infected with the DNS Changer virus Use the same settings as above but use the filter called DNS Changer Virus Successful and alert on a higher priority if outbound communications are successful

Visual graph outcome:


 
 

To read more about this topic from other sources:

[PDF] http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

http://gizmodo.com/5885716/the-fbi-might-cut-off-the-internet-for-millions-of-people-on-march-8th

http://upload.democraticunderground.com/10951119

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: