Trojans are malicious software “viruses” that upon infecting the target machine (e.g., a user's personal computer (PC)), may work stealthily towards undesired goals, such as compromising the user's credentials and/or private information by disclosing them to an unintended third party, e.g., the Trojan's owner or sender. Trojans can be used as part of a “phishing” attack to obtain information from the victim. One technique employed by Trojans may be fooling the user into thinking that he (the user) is browsing a secure site or a site of a trusted party (for example, a bank's web site), while in fact he is accessing a different site, which may, for example, be a site maintained by the Trojan's owner. This tactic may be known as domain name system (DNS) spoofing, and it may be used to eventually obtain a victim's credentials, passwords, account or other personal information, as he logs in to what he thinks is the secure or trusted website.
One way in which Trojans spoof a machine's DNS is by adding entries to the operating system “hosts” file. Different operating systems store the hosts file in different locations. Thus, for example, in Windows NT/2000/2003/XP, the full file path may be %windir%\system32\drivers\etc\hosts; in Windows 95/98/ME, the full file path may be C:\Windows\hosts; in UNIX systems and in Mac OS/X, the full file path may be /etc/hosts; and in Mac OS/9 and below, the file name may be Hosts, and it is located in the Preference folder (it also has a different format, but it allows the same kind of manipulation by Trojans). The hosts file typically contains static DNS mapping (e.g., mapping from alphanumeric host name to a numeric IP address), and it may be consulted by the computer during the process of resolving the IP address of a domain name entered by the user.
Below is an example of a hosts file from Windows/XP that has not been manipulated or infiltrated:
# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#’ symbol.## For example:##102.54.94.97rhino.acme.com# source server# 38.25.63.10x.acme.com# x client host127.0.0.1localhost
Typically, a mapping or entry in the hosts file may take precedence over other mappings, such as DNS server queries. Therefore, by adding entries to the hosts file, Trojan software may force the victim machine (typically a PC) to map the name of a desired website (e.g., www.nosuchbank.com), which host name will be used herein as an example of a client's bank website to an IP address controlled by the Trojan's owner (e.g., 10.20.30.40), instead of to www.nosuchbank.com's real IP address. The below example demonstrates the hosts file as it may look after it has been manipulated by a Trojan. The reader will note that the last line in the file has been added by the Trojan.
# copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#’ symbol.## For example:##102.54.94.97rhino.acme.com# source server# 38.25.63.10x.acme.com# x client host127.0.0.1localhost10.20.30.40www.nosuchbank.com
Consequently, the user's PC, upon his typing www.nosuchbank.com in the browser's address bar, will send an HTTP request to 10.20.30.40 (instead of to the real IP address of www.nosuchbank.com), and the user will see in the browser whatever page is found on 10.20.30.40 (instead of the contents of www.nosuchbank.com's website). Thus, rather than being presented with the true page on www.nosuchbank.com's website, the user is presented with the page created by the fraudster to capture the user's sensitive information. Thus, for example, if the web page purporting to be the secure or trusted website requests sensitive or valuable login details, the user may submit them trustingly, unknowingly providing them to the fraudster. Consequently, the fraudster may easily collect from the 10.20.30.40 server valuable credentials from users.
Alternatively, a Trojan may alter the DNS server entry in the network (TCP/IP) stack of the user machine, to point at a malicious DNS server (which may typically be operated by the Trojan master). In such case, each and every DNS resolution needed by the client will cause the network stack to consult the malicious DNS server. This server may be configured to reply with the genuine IP address of nearly all host names, except for one or a limited number of addresses, e.g., www.nosuchbank.com, which it will resolve to the fraudulent site, e.g., 10.20.30.40.
Known security solutions (such as anti-virus and anti-malware solutions) are able to detect that the hosts file or the DNS server configuration have been modified (or are hostile) when executed locally, on the infected machine itself. As such, these solutions are typically unable to provide an adequate solution for Internet service providers (ISPs) and other entities that do not have such access to their clients' machines, while at the same time have an incentive to protect those clients, as well as their own resources (network bandwidth, customer support call reduction, security) from this Trojan threat.
There is therefore a need for an improved method, apparatus and system for protecting against DNS spoofing attacks.