System and Method for Detecting and Mitigating Dns Spoofing Trojans

US 20080147837A1
Filed: 02/26/2006
Published: 06/19/2008
Est. Priority Date: 02/24/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting spoofing, the method comprising:

receiving notification of an IP request, said IP request being associated with a requested IP address and a desired hostname; and

detecting whether the requested IP address matches the desired hostname.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention relate to a method and system for detecting and/or mitigating domain name system (DNS) spoofing Trojan horse (or Trojan) code. Trojan code (sometimes called malware or malicious software) is a common computer security problem. Some Trojans modify the DNS resolution mechanism employed by the infected computer, such that the computer traffic, when browsing the Internet, is routed to a location not intended by the rightful owner of the computer. The present invention can detect this phenomenon from a remote device or location and may take action to mitigate its effects.

Citations

52 Claims

1. A method for detecting spoofing, the method comprising:
- receiving notification of an IP request, said IP request being associated with a requested IP address and a desired hostname; and
  
  detecting whether the requested IP address matches the desired hostname.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 2. The method of claim 1, wherein said step of detecting whether the requested IP address matches the desired hostname comprises comparing at least one property of the requested IP address with a comparable property of the desired hostname.
  - 3. The method of claim 1, wherein if said IP address does not match said hostname, further comprising preventing connection to said IP address.
  - 4. The method of claim 1, wherein said step of detecting comprises:
    - obtaining a true hostname associated with said requested IP address; and
      
      comparing said true hostname with said desired hostname.
  - 5. The method of claim 4, wherein obtaining a true hostname associated with said requested IP address comprises using a reverse DNS lookup database.
  - 6. The method of claim 4, wherein obtaining a true hostname associated with said requested IP address comprises using a WHOIS database to look up identity of said requested IP address.
  - 7. The method of claim 1, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, further comprising sending a notification to said subscriber.
  - 8. The method of claim 1, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, further comprising directing said subscriber to an Internet website informing said subscriber.
  - 9. The method of claim 1, wherein if said IP address does not match said hostname, further comprising sending a notification to a third party.
  - 10. The method of claim 1, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, further comprising:
    - obtaining a correct IP address associated with said desired hostname; and
      
      directing said subscriber to said correct IP address.
  - 11. The method of claim 1, wherein said notification of said IP request is a reply from a domain name server directed to a subscriber, said reply including said requested IP address.
  - 12. The method of claim 1, wherein said notification is an IP request received by an internet service provider (ISP) from a subscriber of said ISP.
  - 34. The method of claim 2, comprising:
    - determining whether the requested IP address appears in a pre-defined white list of IP addresses.
  - 35. The method of claim 2, comprising:
    - determining whether the requested IP address does not appear in a pre-defined black list of IP addresses.
  - 36. The method of claim 2, comprising:
    - determining whether the requested IP address does not correspond to a pre-defined domain name.
  - 37. The method of claim 2, wherein detecting comprises detecting using at least one of a cache proxy server, a content inspection server, an HTTP-aware device, a device able to sniff network data, a transparent proxy server, and a plurality of distributed computing platforms.
  - 38. The method of claim 1, wherein if said IP address does not match said hostname, further comprising notifying an entity in control of a network in which the IP request was transferred.
  - 39. The method of claim 1, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, further comprising:
    - obtaining a correct IP address associated with said desired hostname.
  - 40. The method of claim 1, comprising:
    - based on a physical address class, detecting whether the requested IP address matches the desired hostname.
  - 41. The method of claim 1, comprising:
    - based on a physical address class included in a pre-defined list, of IP addresses, detecting whether the requested IP address matches the desired hostname.
  - 42. The method of claim 1, further comprising:
    - performing a corrective operation on said IP request.
  - 43. The method of claim 1, wherein the corrective operation is selected from a group consisting of:
    - notifying a client from which the IP request originated, cleaning a Trojan in a client from which the IP request originated, obtaining a correct IP address from a trusted source, sending a security notification to a client from which the IP requested originated, sending a notification to an anti-virus manufacturer, performing a silent rerouting, sending a notification to a phish-fighting entity, and communicating with a help desk.
  - 44. The method of claim 1, further comprising:
    - performing a corrective operation on said IP request at a server of an ISP.
  - 45. The method of claim 1, further comprising:
    - if the desired hostname corresponds to a sponsor entity, detecting whether the requested IP address matches the desired hostname.
  - 46. The method of claim 1, further comprising:
    - if the desired hostname corresponds to a sponsor entity, performing a corrective step on said IP request.
  - 47. The method of claim 1, further comprising:
    - if the desired hostname corresponds to a sponsor entity, performing a corrective step on said IP request at a server of an ISP.
  - 48. The method of claim 1, further comprising:
    - if the desired hostname corresponds to a sponsor entity, notifying said sponsor entity.
  - 49. The method of claim 2, comprising:
    - determining by an ISP server whether the requested IP address does not correspond to a pre-defined domain name.
  - 50. The method of claim 2, comprising:
    - determining by a firewall server whether the requested IP address does not correspond to a pre-defined domain name.
  - 51. The method of claim 2, comprising:
    - determining by an Internet gateway whether the requested IP address does not correspond to a pre-defined domain name.
  - 52. The method of claim 2, comprising:
    - determining by a personal computer whether the requested IP address does not correspond to a pre-defined domain name.

13. A method comprising:
- receiving a notification of a request sent to a network address, said request being associated with a requested network address and a desired hostname; and
  
  detecting whether the requested network address matches the desired hostname.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the network address is an IPv6 network address.

15. A system comprising:
- an analyzer to receive notification of an IP request, said IP request being associated with a requested IP address and a desired hostname, and to detect whether the requested IP address matches the desired hostname.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15, wherein said analyzer is to compare at least one property of the requested IP address with a comparable property of the desired hostname.
  - 17. The system of claim 15, wherein said system is to prevent connection to said IP address if said IP address does not match said hostname.
  - 18. The system of claim 15, wherein said analyzer is to obtain a true hostname associated with said requested IP address, and to compare said true hostname with said desired hostname.
  - 19. The system of claim 18, wherein said analyzer is to obtain said true hostname associated with said requested IP address using a reverse DNS lookup database.
  - 20. The system of claim 18, wherein said analyzer is to obtain said true hostname associated with said requested IP address using a WHOIS database able to look up identity of said requested IP address.
  - 21. The system of claim 15, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, said system is to send a notification to said subscriber.
  - 22. The system of claim 15, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, said system is to direct said subscriber to an Internet website informing said subscriber.
  - 23. The system of claim 15, wherein if said IP address does not match said hostname, said system is to send a notification to a third party.
  - 24. The system of claim 15, wherein said IP request is made by a subscriber, and wherein if said IP address does not match said hostname, the system is to obtain a correct IP address associated with said desired hostname, and to direct said subscriber to said correct IP address.
  - 25. The system of claim 15, wherein said notification of said IP request is a reply from a domain name server directed to a subscriber, said reply including said requested IP address.
  - 26. The system of claim 15, wherein said notification is an IP request received by an internet service provider (ISP) from a subscriber of said ISP.
  - 27. The system of claim 15, wherein said analyzer is included in a server computer, said system further comprising a client computing platform to send to said server computer said notification of IP request.

28. A method comprising:
- receiving at a computing device a notification including a physical address of a computing element being associated with a requested physical address and logical address; and
  
  determining whether said requested physical address matches the logical address.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, wherein the physical address is selected from a group consisting of:
    - an IP address of an Internet site, a network address, an IPv6 address, and at least a portion of a header of an electronic mail header.
  - 30. The method of claim 28, wherein the logical address is selected from a group consisting of:
    - a hostname, and a Uniform Resource Locator (URL).
  - 31. The method of claim 28, wherein the computing device is selected from a group consisting of:
    - a Personal Computer (PC), a DNS server, an HTTP server, and a firewall device.
  - 32. The method of claim 28, wherein the step of determining whether said requested physical address matches the logical address comprises using a WHOIS database.
  - 33. The method of claim 28, wherein the determining whether said requested physical address matches the logical address comprises performing DNS queries to DNS servers to using the requested physical address and comparing a logical address returned in response to such DNS queries to said logical address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Golan, Zohar, Klein, Amit

Granted Patent

US 8,266,295 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

System and Method for Detecting and Mitigating Dns Spoofing Trojans

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Detecting and Mitigating Dns Spoofing Trojans

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links