The present invention generally relates to detecting and preventing pharming attacks on computer systems. More specifically, the present invention relates to using historical data to help detect pharming attacks and especially changes in name-to-IP resolutions on computer systems.
Pharming is a type of malicious attacks on computer systems that aims to redirect a legitimate website's traffic to another fake or bogus website. Often, the purpose is to steal the victims' sensitive or private information, such as access codes or passwords to financial institutions. Typically, pharming is achieved by secretively manipulating the local and/or global DNS server(s) used by the victims' computer systems, and particularly by changing or replacing the real IP addresses associated with the legitimate websites with IP addresses of the fake websites. Thereafter, when the victims attempt to access those websites whose IP addresses have been tampered with, they are directed to the fake websites instead.
Every end-point on the Internet, e.g., application servers, mail servers, work stations, personal computers, etc., has a globally unique IP (Internet Protocol) address, at least for the duration that the IP address is being used. IP addresses may be static or dynamic. A static IP address, once being assigned to an end-point, i.e., a network device, usually does not change, whereas a dynamic IP address may be assigned to different network devices at different times.
IP addresses, especially static IP addresses, may be used as identifiers or locators for computer systems or other network devices on the Internet. An IP address associated with a network device is analogous to a street address associated with a building, such that just as a street address uniquely identifies the location of a building in the real world, an IP address uniquely identifies a network device on the Internet.
There are two versions of the Internet Protocol currently in use. The common version is IPv4 (IP version 4), which uses 32-bit (4-byte) addresses. Each IPv4 address is represented as four numbers separated by dots (“.”) and each number is between 0 and 255 (8 bits). Thus, typical IPv4 addresses may look like “192.168.4.32” or “127.0.64.1”.
The newer and less commonly used version is IPv6 (IP version 6), which uses 128-bit (16-byte) addresses. Each IPv6 address is represented as eight numbers, typically written in hexadecimal format, separated by colons (“:”). Typical IPv6 addresses may look like “2004:0da8:90a3:02f0:1428:c34b:0040:1b3a”.
Regardless of which version of the Internet Protocol is used, it is usually difficult for humans to remember even one or two such IP addresses, much less the IP addresses of the many websites and other network devices people frequently visit every day. To simplify the matter, directories, called Domain Name System (DNS), are created to map websites' names and other network devices' host names to their corresponding IP addresses. For example, the IP address assigned to the URL (Uniform Resource Locator) “www.yahoo.com” may be “209.131.36.158”, and the IP address assigned to the URL “www.trendmicro.com” may be “216.246.93.75”. When a person wishes to visit the Yahoo!® main home page “www.yahoo.com”, he may enter this name into the URL field of the web browser on his computer. The computer, or more specifically, the web browser, then queries a DNS server for the IP address associated with the application server that hosts the URL “www.yahoo.com”. The DNS server looks up the correct IP address for the name “www.yahoo.com” and returns the address “209.131.36.158” to the web browser so that the web browser may contact “www.yahoo.com” using the correct IP address. This process is often referred to as “name-to-IP resolution”.
Suppose a criminal wants to steal people's private information, such as user names and passwords, from a bank's website, e.g., “www.bank.com”. He sets up a fake bank website, e.g., “www.fake-bank.com”, that appears as an exact duplicate of the real bank website, “www.bank.com”. The IP address assigned to the real bank website may be “192.80.0.16”, while the IP address associated with the fake bank website may be “162.32.8.0”. To hijack traffic from the real bank website to the fake bank website, the criminal replaces the real IP address, i.e., “192.80.0.16”, for “www.bank.com” on the DNS server with the IP address of the fake bank website, i.e., “162.32.8.0”. Thereafter, when the victims' computers query the DNS server for the IP address of the application server serving the website “www.bank.com”, the compromised DNS server returns “162.32.8.0” instead, and the victims' computers are directed to the application server hosting the fake bank website. The unsuspecting victims enter their user names and passwords at the fake bank website, which are then stolen by the criminal.
Pharming attacks occur on several levels. First, a criminal may attack Hosts files on individual computers. A Hosts file is a computer file that is used to store information for mapping host names to IP addresses. It may be used as a supplement to or in place of the DNS server. A Hosts file is under the control of the computer's owner or user. If a Hosts file is compromised, it only affects the particular computer system on which the file is located. Next, the criminal may attack local network routers. For example, an attacker may replace a router's legitimate DNS server with a fake DNS server under the criminal's control. This causes more problems than Hosts file attacks, because a compromised router affects computers on the entire local area network (LAN), as most routers specify a trusted DNS server to their clients as they join the LAN. Finally, the criminal may attack DNS servers directly and replace real IP addresses for the host names with fake IP addresses.
Pharming is becoming a major concern, especially to businesses hosting e-commerce and online banking websites. Existing methods for combating pharming attacks, i.e., anti-pharming, include protections for application servers, DNS servers, web browsers, etc. Nevertheless, continuous efforts are being made to improve anti-pharming protections, and especially to improve the ability of detecting and preventing pharming attacks on individual computer systems.