Broadband

ISP caught doing DNS hijacking in fight against bots


According to Wired Blogs, Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels.

When a legitimate attempt is made to connect to certain channels, Cox sends the IP address of its own IRC server instead of responding with the correct one. This server then forwards (IRC) commands to the redirected computer, sending commands designed to remove certain malware.

Excerpt from ISP Seen Breaking Internet Protocol to Fight Zombie Computers:

#martian_

[INFO] Channel view for "#martian_" opened.

-->| YOU (andrew.m) have joined #martian_

=-= Mode #martian_ +nt by localhost.localdomain

=-= Topic for #martian_ is ".bot.remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is ".remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is ".uninstall"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!bot.remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!uninstall"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

<Marvin_> .bot.remove

<Marvin_> .remove

<Marvin_> .uninstall

<Marvin_> !bot.remove

<Marvin_> !remove

This tactic is now being heavily debated by networking experts on the NANOG mailing list.

There are some who give it a thumbs-up though. Says Adam Waters of Support Intelligence:

[I]t can't be a surprise that the ISP's have come, at long last, to fixing zombies without customer notification/consent...

Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me.

Not surprisingly, this tactic has not found favor with everyone. Anthony Sanchez of irc.ablenet.org, the victim of this treatment by TimeWarner/Road Runner/AOL and then Cox, laments that:

These providers, while perhaps noble in their cause, are denying us our right to exist. If we were a large organization, this very likely would not be happening.

Do you have anything to add about the DNS hijacking methods that is being adopted?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

51 comments
jdclyde
jdclyde

There are the halfassed organizations that have set themselves up to be dictators of who is and isn't a relay, and will put you on a blacklist if they think you are. Put on the list accidentally? too bad, and they won't even tell you WHY you were banned, so it is hard to fix. There was a line in my firewall that they didn't like, and with NAT all outbound traffic was one address and mail inbound was another. The cable providers will subscribe to these lists, and all email from anyone on that list gets blocked when you try to enter their network.

Dr Dij
Dr Dij

simply block the address. And disconnect you till you show them you are zombie free. I've been recommending they do this for years. If an ISP does this, is not an abrogation of your free speach, unlike a govt doing it. They could quite simply block huge chunk of malware sites by blocking certain third world ISPs who allow hosting malware sites. There are plenty in developed countries but sites are generally hacked.

brandie.anderson
brandie.anderson

I have seen first hand the problems these bot networks create as an Information Security Manager for a University. Universities and other "free" organizations are open fodder for the IRC malware groups. While their method may be a bit unconventional, the issue remains if the end user cannot or does not understand enough to clean/protect their system they add to the hostile environment of the Internet. Maybe we should consider this ISP's actions to be along the lines of an HOA of the Internet world. Do what we say for having a home (computer) on the Internet or we will take action on your behalf. (I do hate HOA's, but I hate hacked computers worse.)

TechExec2
TechExec2

. If a DNS server does not faithfully return the correct IP address for a given domain name, then it is breaking the trust. Most folks call this Pharming or a man-in-the-middle attack. I don't care if it is doing it for what the server owner thinks is a "good" reason. Furthermore, attempting to execute something on a client computer without authorization is an "attack", regardless of whether the server owner thinks it is a "good" thing or not. Cox Communications IS an appropriate name. They're dicks! :^0

paulmah
paulmah

Do you have anything to add about the DNS hijacking methods that is being adopted?

DanLM
DanLM

The United States is a huge contributer to this problem itself. Host's that do not monitor what runs on their networks. I mean Dr., I agree with you. But the problem's I see with that are. 1). The bonnets would just move to another ip block. What I've seen is these bot's will connect to a domain name. Change the dns, and the bot's still work. By blocking the countries, the bot masters would know and just change the dns. 2).It would bring the wrath of the State Department down and all the evils of big government. Third world countries complain, state department orders the ISP to stop and desist. bla bla bla bla bla... But, I'm sure it would happen. The thing that I like about this approach. Botmasters do not know they are losing part of their herd until it is gone. It's like a sniper working from the back to the front of a platoon of soldiers. Nobody knows they are losing men until the man in the front turns around and finds he is alone. The way it is being done by COX I like, but I understand yours and Toney's disagreement with it. And I can't argue it. But, I do think that something along these lines would be great if it could be done in a way that acknowledges both yours and Toney's concern. Like JD said, part of the contract. Just not in little itty bitty letters that you can't read. Dan

jdclyde
jdclyde

acceptance of this will become a requirement for getting their service. They will explain it (in more small print) and many people will take the attitude of "just protect me and give me what I want, without me having to know anything". I don't see joe-user complaining about this. I also see joe-user preferring this over getting their account shut down for being a zombie.

DownRightTired
DownRightTired

I for one dont see the harm in it. In fact I wish more ISPs would try to be proactive in securing the net. If the man in the middle is attacking the 'dicks' that try to use my mail server for their profit then good for them. You need a drivers license to drive a car but any dumbass can surf the net. There are hundreds of thousands of bots out there (and growing), If end users cant be trusted to educate themselves and secure their own pc's, SOMEONE has to before their ignorance costs someone millions of dollars or their lives. I admit it may open the door to more intrusive measures, but ISPs are going to do what they want anyway. In this case, though, theres no harm in the code. If your hangin out on the corner of a seedy neighborhood in the middle of the night your probably up to no good. Likewise if youre visiting IRC channels known to be bot meeting rooms, guess what? Your probably a bot!

jeffreyobrien2203
jeffreyobrien2203

ISP caught doing DNS hijacking in fight against bots,& verisign found TWO FAKE Not Microsoft Issued Certificates. Do you have anything to add about the DNS hijacking methods that is being adopted? Yes my name is jeffreyobrien from here http://www.websitetrafficspy.com/jeffreyobrien.blogspot.com I have 8th most traffic online I own my jeffreyobrien.blogspot.com FQDN Now this happens daily exactly when I logon my ISP is three (3G) australia,security nortons catches their IP address as UN AUTHORISED ACCESS BLOCKED for hour every morning when I go ONLINE they deny this happens when I sent them a copy of my security they were very concerned as they said it must be a STAFF MEMBER SACKED OR SOMETHING TO THAT EFFECT anyway I see it happens daily has done for over year. I have complained to Ombudsman about this what could you help me with I am very interested if you can,I use RTM w7 X64bit I am Microsoft tester a Home user with fetish for genuine Microsoft Software especially RC & RTM versions. UPDATED TODAY 09/10/2010 3G using E122 HUAWEI DEVICE THREE WERE ON PHONE TO ME BECAUSE VERSIGN CLOSED DOWN THEIR INTRNET FOR WEEK UNTIL HUAWEI PAID WITH GO DADDYS CERTIFICATES then NORTON 360 vers 4 now allows this through firewall as certificates are now GENUINE & FULLY PAID UP TILL 2032 wow Small man finally did some good to that HUGE COMPANY thanks jeffrey

DownRightTired
DownRightTired

Does that sound funny to anyone else? should it be using DNS hijacking in fight?

ptheoc
ptheoc

If you own a dog and allow it to run free, untrained, unfed and unsocialized and it hurts someone you are responsible. Likewise if you put this same dog into someones fenced yard you have done something wrong. If the children of the dwellers of this house in the fenced yard have friends over and the adult dwellers allow their kids friends to go in the yards knowing that this bad dog is in the yard, they are just as wrong as you for putting the dog there. It seems so simple. Allowing a known wrong is just as wrong. Especially if you are knowingly being used to perform this wrong. Simply wrong.

yalublumisha
yalublumisha

Those who would sacrifice liberty for security deserve neither.

nsteere
nsteere

I am happy they are trying to divert the zombies away from the tasty brains and moving them to fake brains. Similar to tofurkey.

Dr Dij
Dr Dij

only blocking all the ISPs in that country that are not responsive to requests to take down bad sites. And since done by private networks, it would not incur the 'Wrath of Khan'; woops I mean the 'Wrath of the State Dept'. They are free to block whoever they want. Obviously they would be pretty careful not to block desired netsites that are valid and non-spyware because otherwise they would lose customers. They use black lists NOW to block for email and some use blocking lists already from major AV sites. I'm just suggesting that some ISPs block whole address range of other ISPs who host malware and spammers. ALso it is much harder for them to locate on ISP that ARE responsive to requests to take them down as they have to move much quicker or cannot sign up at all in many cases. At a certain point if too hard to bother with they are not making money and retire from the biz. So don't give me the defeatist attitude 'they'll just move'. Even if you lock your door someone can break in. Do YOU leave your door unlocked anyway? (Ok, my mom does in their small towne home with low crime rate but that is not the internet where people can transport packets instantly to your domain)

ptheoc
ptheoc

If Cox is a "knowning" pawn in this, they can be held as liable as the perpetrators. Are you going to remove Cox's right to defend itself. You just made the statement against the lazy unknowing people, unwilling to be self accountable. Make up your mind.

DownRightTired
DownRightTired

Obviously the IPSs would have to be careful in maintaining the commands associated w/ whatever particular bots they were targeting. More importantly what domain names they were re-routing. Of course theres alot of big research already being done in this area that they could draw from, probably w/ great support. Namely the FBI http://www.fbi.gov/page2/june07/botnet061307.htm. As well as other security research groups. I wonder if after the client gets passed to the fake host for cleaning if it then gets forwarded to the real host? THis would help keep legitimate sites from being locked out. But may just open the client up for reinfection. Either way it wont be long before the scripts are modified to get around this little trick. I guess using dns allows the bot operators more flexibility and maybe privacy, but they could as easily use IPs, would the ISPs then capture all packets going to that IP? While I think this could be good it will most likely turn into the Tom&Jerry scenario we already see in other areas of security and AV. To the best of my understanding most of these bots dont replicate through the irc channels, only recieve their commands. So while this wont necessarily stop the proliferation of botnets it may silence a couple thousand of em. Until the next batch...

TonytheTiger
TonytheTiger

from driving 100 mph through the center of town. All you can do is take away my driving privileges if I do. The proper way to do it is if you detect a bot running on a customer's computer, disconnect that computer from the network and require the customer to fix the problem before you restore the link. Maybe the customer will learn a little bit in the process.

robert_devery
robert_devery

Just to refute a few of points made by downrighttired. The "dumbasses that are surfing the net" are not the guy's using these bot networks or using the IRC channels to communicate with the bots. These guys are serious "crackers" for want of a better term. "I admit it may open the door to more intrusive measures, but ISPs are going to do what they want anyway" Do you think that ISPs are going to stop with changing DNS entries, they will keep pushing forward with their own agenda regardless of my or your objections. its all about the bottom line to these people. Also just because you use Irc channels doesn't mean you a bot, could mean your doing "research" or "educating yourself" Don't take this the wrong way just trying to point out another point of view.

Locrian_Lyric
Locrian_Lyric

You know, a smart ISP could actually use this as a selling point! "Not only do we provide excellant service, but we will also scrub your machine for malicious zombie-sortware!"

DanLM
DanLM

Are a$$holes. Your comment makes you one in my book. Dan

jruby
jruby

While they sat around and placed a great emphasis on 'liberty', they completely ignored 'security' and were soon over-run by forces from without, aided by decay from within.

DownRightTired
DownRightTired

would you be sacrificing here? Do you find it necessary to connect to chat rooms known to promote malware, piracy, and theft? The fact is its our liberty thats being attatcked by these botnets.

DanLM
DanLM

[i]So don't give me the defeatist attitude 'they'll just move'. Even if you lock your door someone can break in. Do YOU leave your door unlocked anyway?[/i] I know that for a fact because of the IRC security list that I subscribe to. A lot of bot masters use the free dns and just move to new ip's when they are found. I know this because of the security list reporting abuse to the host's. Or going to the url's to get more information. Only script kiddies hard code ip's in their malware executables. That is not an idle comment. That is from watching a security list specifically created to deal with bot nets. Dan

dawgit
dawgit

Geeeze I'm getting old.

Big Ole Jack
Big Ole Jack

I have whatever the PC came with from Dell. So in other words, the moron who owns the PC doesn't even know what they got with the PC when they ordered it? Are these the same blockheads who let a car dealer tell them what options they "should" have in the vehicle? A sucker parts with his/her money very quickly. I love people who are like that because they keep crooked salesmen in business, due to their own sheer ignorance and refusal to learn anything about the product they are buying.

Big Ole Jack
Big Ole Jack

I just hade to make a joke of it...sorry.

DownRightTired
DownRightTired

Lately Ive been using, and reccomending to everyone I know Blink Personal Edition. It blows all the others away. Runs lighter than AVG and includes everything from firewall to vulnerablitly assessment and the ONLY one that protects from zero day attacks. Even scans for flaws in 3rd party software like adobe and everything else. One year free trial! Really the impresive thing is that it doesnt rely solely on virus signatures but runs in all the various layers looking for malicious activity. You could actually run it and never update it and still be safe. Anyway I know it sounds like an advertisement but its a great product I thought was worth mentioning in this thread. The makers (Eeye) have also been responsible for finding MANY of the security flaws in Microsoft. What got me to try it was an interview w/ the founder who was one of the first hackers that began exploiting microsofts flaws back in the 90's.

DownRightTired
DownRightTired

yeh theyve blurred the line. probably cause of the other racial uses for 'cracker'. What ever happened to phreakers? lol, i guess w/ VOIP they all turned to crackers?

jdclyde
jdclyde

The more I replied, the more I was sure it wasn't me you were talking to in the first place...... ;\ I was working on a friend of my moms computer a few months ago. The system was virus infested, with only a clean wipe as a workable solution. I asked her if she ever ran the "Windows Update". Her answer was "no, I like this version of Windows, so I didn't want to update to the new version." You can not imagine how hard it was to keep a straight face..... :0 How do you save people from themselves?

jdclyde
jdclyde

thanks to crappy movies with lots of eye candy, the general mindless masses will always fear the evil hacker. The one thing it does to that is positive for anyone in IT is clearly paints "ID10T" across the forehead of anyone that uses the term, so we know who and what we are dealing with. B-)

robert_devery
robert_devery

Crackers break into sites not hackers. Hackers is the term that the media uses. Generally hackers make things, Crackers break things. Sorry I know this is off topic but it annoys the s**t out of me.

ptheoc
ptheoc

I combined sentiments on two posts into one reply. But for your part you did say, "just protect me and give me what I want, without me having to know anything". I do agree that people don't do enough, but hackers are getting into govt sites and major corps. The things you mentioned, Firewalls, Windows updates are like locks on doors. They are meant to keep out the honest people. Sorry to give you the whole beef instead of a quarter pounder. The rest was aimed at "This is completely unacceptable!"

jdclyde
jdclyde

First, I never said anything about someone being "unwilling to be self accountable", only that like most users, they know nothing about computer security. It is VERY common for people to run their computer without getting current AV software. "It came with AV software. oh yeah, that three month trial expired and I have to buy it again?" Firewalls? Malware? Windows updates? they don't know and no one told them there would be so much time spent caring for this new pet. Kind of like getting a puppy, they take a lot of caring for. If a customer of Cox is infected or going to a place that is infected, it is not something that Cox is liable for, not even in this sue happy liberal cesspool that people are trying to turn our world into. Bottom line, I never even said anything against Cox doing this, so you must have posted under the wrong post?

TonytheTiger
TonytheTiger

They are jumping in the car and grabbing the steering wheel away from the driver. By all means stop the car, by EXTERNAL means then tell the driver he can't drive again until he 'fixes the problem'. Likewise stop the computer externally (cut off the connection), then tell the operator he can't get back on the network until he 'fixes the problem'.

DownRightTired
DownRightTired

Well according to the article the only time the ISPs are taking any action is when a certain domain name is requested, a suspicious domain. So following the analogy It seems this would be equivalent to the police pulling you over and questioning you for behaving suspiciously or being in a bad part of town. Theyre not actually searching your car, just running the K-9 around it.

Dr Dij
Dr Dij

shooting your tires out prevents you from keeping on doing what you're doing? This ISP doesn't stop anything till it detects trojan conx, and possible they take action immediately. So is that prevention since they stopped the person just after they started? or is it 'in process' stopping? Not sure it matters as long as they stop them quickly I guess in a car it takes a while for police to 1) know you are speeding, 2) catch up with and pursue you. On a network it can be nearly instantaneous

TonytheTiger
TonytheTiger

If they cause something to be be executed on my computer that would not have been executed without their deliberate action, they are breaking into my computer. The only correct action is to disconnect the computer from the network.

Dr Dij
Dr Dij

if you present a hazard to others, they can 'take you out'. Pit manuvers, spike strips all stop you. If you aim at a roadblock they can shoot you. I think they can shoot out your tires under certain conditions. In the case of a guy who took tank and stalled it on the 5 fwy in san diego the office opened the can and shot him. That's legally stopping him.

DownRightTired
DownRightTired

" You cannot legally prevent me from driving 100 mph through the center of town. All you can do is take away my driving privileges if I do." That is an interesting point. And true to an extent. However, I would HOPE that if it were the case that hundreds of people began driving like this, the police would implement some measure (spike strips?) to protect those on the street.

DanLM
DanLM

Your right. Two wrongs don't make a right. If Cox disconnected all the users with known exploits on their machines, there would be an uproar also. But, I guess they could point to their contract with that one. Have to admit though, your the strongest argument with how I feel about it. Dan

DownRightTired
DownRightTired

to put it simply. Keep your computer in your home and theres no problem. When you connect it to the internet, a public place, it should be expected to behave appropriately(and legally). Also the ISP's are not "breaking into" your computer. They are diverting traffic thats coming out of YOUR computer. One thing Im not sure the article makes clear is weather its intercepting traffic directed to other DNS servers or responding w/ "false information" from there own servers. **edit** began to reply and got pulled away

TonytheTiger
TonytheTiger

You are "out in public" when you go through a checkpoint. There is no expectation of privacy. MY computer, in MY home, is different. There IS an expectation of privacy. Just because someone else broke into my computer to plant the bot doesn't mean you have the right to break into my computer to remove it. Two wrongs don't make a right. [i]I guess its proactive v reactive(which has worked GREAT so far right?).....[/i] It works as well as it can without BREAKING THE LAW!

DownRightTired
DownRightTired

are you apposed to check points on new years eve? or would you rather every drunk idiot be free to roam untill he runs into your office building? Sure hell learn his lesson but guess what, theres still a gigantic hole in your office! Wouldnt it be better to make a relatively unobtrusive attempt fix the customers pc before you pull the plug on them and say "Sorry buddy fix it yourself"? I guess its proactive v reactive(which has worked GREAT so far right?).....

DanLM
DanLM

You have to understand that most IRC networks are normal people that rent unix shells to run IRC daemons. The people that connect to these networks probably have no idea that the networks are being paid for by hard working people like them. The flood of these bots to execute their commands drains the limited resources that is allocated to the shell these people pay for. These bot's have taken down more then one IRC network because the chatters just can't connect, talk, or anything. I belong to the newsletter that I previously mentioned and I have not seen alot of activity on it lately(months and months). So, I didn't think their was a lot of IRC botnets running. All though, I have read articles where bot masters are either setting up the bots to run from commands found on web pages. Or they start their own IRC network where only their bots join and they feed the commands. These bot's are a pain in the bloody butt to everyone they touch. If COX net can clean out just what is on their network, that is greatly appropriated by me and I am sure alot of other people that have experienced first hand the destruction these bots can do. My issue is with people that never had to deal with them. ddos attacks, loss of revenue because of. You can't tell me some of these bots arnt also key loggers. Loss of identity. I can't argue with Toney's reasoning, its straight forward and to the point. But, I've seen the destruction these bots can do. I've read enough to know that my experiences with them is minimal at the most. They are a serious problem. Dan

DownRightTired
DownRightTired

I was curious to hear from a heavy IRC user wether they had experienced any problems.

DanLM
DanLM

And I have NEVER been directed to a cleansing channel. So, with response to you. They are not attacking IRC chatters. They are filtering known bot/hacker ip's and directing them to a cleansing irc channel. I cam also add to this, that there is a security group of all the networks(both large and small) that has tried to address botnets on IRC. They reverse engineer the executable that is installed which runs the bots, and then they find the remove commands. When bots are found on their network, they do the same thing that COX is doing. COX is just redirecting to an IRC channel to cleanse the malware. I also know that alot of AV companies watch this group. And the kicker is, it is just a bunch of chatters that got tired of the sh*t who had the ability to do the reverse engineering. It is an open mailing list. Anyone can contribute, listen, learn from it Dan

DownRightTired
DownRightTired

Maybe u dont understand exactly how these bots work? I understand that the "average dumbass" (i like this term ill keep using it!) is not getting on IRC channels. But they tend to not be security conscious and end up getting infected w/ these 'bots' which are just intelligent malware. The BOTS that are hiding on their computer then connect to these IRC channels and await commands from the "bot herders" (heres a really interesting story from steve gibson about his investigation into a DOS attack on his network > http://www.grc.com/dos/grcdos.htm) Also if you read the article carefully, theyre not diverting ALL IRC traffic only sites bots are known to connect to. The idea is that the user doesnt even know hes connecting to an IRC channel, its the bot that connects, hence the string of commands issued to the client(the bot). Read the article again. I wasnt trying to imply that everyone who uses IRC channels is up to no good, but there are discreet channels that are intended for no other purpose. And HOPEFULLY the ISPs agenda is to provide a secure connection (at the highest price they can :-) and not something more seedy (not sure what u consider their bottom line to be?) Now obviously Im basing all this solely on whats been disclosed in the article. AGAIN i would recommend everyone check out this article http://www.grc.com/dos/grcdos.htm Its a really interesting read

Editor's Picks