In recent years, use of DNS (Domain Name System) has increasingly spread such that nowadays many services (including various protocols, applications, technologies etc.) are using the DNS for address resolution. That is, services using DNS rely on a valid DNS server setting for providing the service-requesting entity with appropriate functionalities, or the like. Accordingly, the DNS, particularly the DNS related settings, has become an attractive target for attacks on the proper functioning of such services using DNS. By way of manipulating the DNS server setting being utilized by a specific service for address resolution, an attacker tries to misdirect the service to a fraudulent address (instead of the actually intended address for service provisioning) without its knowledge or consent.
As one example scenario in this regard, attacks on users over the Internet have become popular, by which users are misdirected to fraudulent Web sites without their knowledge or consent. Such attacks are often referred to as “pharming” attacks.
In such pharming attacks, the DNS server setting is manipulated, which can generally be done at any point in the DNS resolving chain from the first DNS resolver to the root DNS server. For example, such pharming attacks can be implemented on a client device by locally manipulating the DNS server setting, or on some device keeping the DNS server setting, such as a DHCP (Dynamic Host Configuration Protocol) server device, by setting a rogue DNS server address.
That is, in a local network environment, the DNS server setting potentially being subject to such pharming attack can be configured in a client device or another local-area device such as a local-area DHCP server device like e.g. a router in the local network environment, e.g. a home or SOHO-type router, or a (wireless) base station or access point in the local network environment.
Typically, pharming can be achieved by replacing the real IP addresses associated with legitimate websites with IP addresses of fake websites. Pharming attacks may occur by attacking hosts files or other local configuration files that may be used for resolution on individual computers. Hosts file is a computer file used to map hostnames to IP addresses by an operating system. The hosts file assists in addressing network nodes in a computer network. It is a part of an operating system's Internet Protocol (IP) implementation, and serves the function of translating hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
The hosts file may present an attack vector for malicious software. The file may be modified, for example, by adware, computer viruses, or trojan horse software to redirect traffic from the intended destination to sites hosting malicious or unwanted content.
U.S. Pat. No. 8,316,440 describes a way of monitoring changes to hosts file. Specifically it teaches monitoring changes to IP addresses assigned for specific domains in the file and keeps track of IP addresses assigned for the same domain seen in the past. Then it calculates the magnitude of change between the current IP address value for the specific domain and the historical value assigned for the same domain. If the magnitude of change is over a predetermined threshold, then it is treated as indication of a malicious change.
However, we have recently seen adware that does not actually change the hosts file but, for example, the Windows binary that is responsible for using the hosts file for using some other file as its hosts file. This kind of adware may create a new hosts file with a random name in a random directory location. Then it patches dnsapi.dll in order to force the operating system to use the new hosts file instead of the original. These kinds of malicious tricks would not be noticed by prior art solutions, such as U.S. Pat. No. 8,316,440, as they only monitor the hosts file.
Accordingly, there is a demand to improve security of computer systems to detect and prevent also these kinds of malicious attacks.