Anti-malware agents typically communicate with their remote services to share
information about suspicious files. These remote services use their up-to-date
information and global context (view) to help classify the files and instruct
their agents to take a predetermined action (e.g., delete or quarantine). In
this study, we provide a security analysis of a specific form of communication
between anti-malware agents and their services, which takes place entirely over
the insecure DNS protocol. These services, which we denote DNS anti-malware
list (DNSAML) services, affect the classification of files scanned by
anti-malware agents, therefore potentially putting their consumers at risk due
to known integrity and confidentiality flaws of the DNS protocol. By analyzing
a large-scale DNS traffic dataset made available to the authors by a well-known
CDN provider, we identify anti-malware solutions that seem to make use of
DNSAML services. We found that these solutions, deployed on almost three
million machines worldwide, exchange hundreds of millions of DNS requests
daily. These requests are carrying sensitive file scan information, oftentimes
– as we demonstrate – without any additional safeguards to compensate for the
insecurities of the DNS protocol. As a result, these anti-malware solutions
that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker
capable of tampering with DNS queries, gains the ability to alter the
classification of scanned files, without presence on the scanning machine. We
showcase three attacks applicable to at least three anti-malware solutions that
could result in the disclosure of sensitive information and improper behavior
of the anti-malware agent, such as ignoring detected threats. Finally, we
propose and review a set of countermeasures for anti-malware solution providers
to prevent the attacks stemming from the use of DNSAML services.

By admin