Slashdot Mirror

← Back to Stories (view on slashdot.org)

TimeWarner DNS Hijacking

Posted by kdawson on from the can-you-spell-ham-handed dept.

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

22 of 339 comments (clear)

  1. About time by beefcake1942 · · Score: 2, Insightful

    Frankly, I think it's about time somebody started ACTING on the problems we face online. Botnets are a huge global issue, and we simply must do all that we can to stop them. Although I suppose this probably could be considered illegal (remotely installing software on somebody's PC without their authorisation breaks pretty much every anti-hacking law in the land), how else can we tackle these issues? Zombie PCs aren't going away any time soon, so more needs to be done. The only problem is as the OP originally stated - botnet control is moving away from IRC networks anyway, so this may also be a case of too little too late. What other methods can be used to help curb the botnet problem?

    1. Re:About time by CrazedWalrus · · Score: 4, Insightful

      I think this action is right-on. The parts of the equation missing are trust and accountability.

      We don't trust vigilantes, not because we don't agree with them, but because we don't trust them to always act in the greater good. Their future actions and motivations are unknowns. Since their identities may even be secret, there's no way to hold them accountable.

      Why are we ok with the police taking the same actions as a vigilante would take? Because of trust earned through accountability. To retask a familiar saying: "Put all your eggs in one basket and then watch that basket". That basket is the police, and we've put all our eggs in it. That means the public at large can watch the police, who are well-known and generally easy to spot. It means that internal controls can be set up, and rules of engagement can be put in place. We trust the police as much as we do because we know that, ultimately, they're under the control of the general public, who can exert pressure on them when they act badly. This is why we tend to put more trust in organizations, rather than individuals. Organizations are easier to censure.

      Understanding that, it's easy to see what the course of action needs to be. As much as we here at /. tend to have a love/hate relationship with authorities, I think one needs to be set up specifically to deal with these problems. They need to be given what power is necessary to deal with the problems like spam, trojans, botnets, whatever, but at the same time, they need to be directly accountable to the public in a similar manner to police forces. Legitimize the vigilante action by coupling it with accountability.

      I don't really know the specifics of setting up something like this, but I think using the police as a model would be the way to go. Rules and procedures, all the requisite bureaucracy, but also the ability to launch tactical "busts", "cyber" or otherwise. They'd need all the same approvals, warrants, etc. They'd have branches in all concerned countries, and would work through the legal systems in their home countries. In some countries, they might be a part of the police force, since much of the administrivia would be similar. Ultimately, I'd think CERT or something like it would be a good headquarters or parent organization for such a group.

      The point is that we've already worked this out in the "Real World". Applying it to The Internet shouldn't be a patent-worthy exercise. While I wish we didn't need government involvement, much of the authority required is the type of authority that only government can legitimately grant, such as the ability to seize equipment.

      I aplogize that this isn't as eloquently described as I'd have liked, but I think the general idea is there. You may now procede to flame me for advocating the Policing of the Intertubes but ultimately, I think that's where we're headed.

  2. Another vote for OpenDNS! by sillivalley · · Score: 4, Insightful

    So we can expect the next generation of malware to alter systems to use OpenDNS?

    Might make some systems a little more useful!

  3. About Time Someone Tried Something by Anonymous Coward · · Score: 2, Insightful

    Let's face it, the company with the most responsibility in the Botnet mess, Microsoft, has been sitting on their hands when it comes to dealing with the issue. Well, until they figured out they could make a buck at it.

    Botnets are used by organized crime for spam, stock scams and a host of other illegal activities. It's time someone did something...if only for the political effect.

  4. Re:New Update since i submited this yesterday by TheRealMindChild · · Score: 4, Insightful

    That sounds like dirty lawyer logic.

    Next you'll argue that reverse engineering a virus is a violation of the DMCA.

    Ill be the first to say it. Who the fuck cares. The problem is being delt with.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  5. Their DNS Server... by flyingfsck · · Score: 4, Insightful

    If I wish to black hole something on my DNS, it is my prerogative to do so. If someone else is using my server for free and complains about the shitty service, then I'll gladly refund his money...

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  6. Re:This will NOT raise awareness or work in any wa by thegrassyknowl · · Score: 5, Insightful

    Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

    I wish I hadn't run out of mod points; this is gold.

    That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?

    I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.

    People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.

    --
    I drink to make other people interesting!
  7. In the long run, not a great idea by BertieBaggio · · Score: 4, Insightful

    I have mod points, but I'd like to collectively reply to a few of the comments I see here. for those of you that are commending this act of vigilantism, stop and think - is this the most effective way to tackle the problem? The way I see it is that being a vigilante is akin to being involved in a constant game of whack-a-mole. The only problem is that when you start taking down bots (or even whole botnets), the people running them begin to realise that their current generation of malware isn't effective enough, and create something that is harder to detect. As the summary notes, we've already seen them trying to improve their resources. There was another post I saw on here that put it more eloquently, essentially saying: vigilantism only helps the bad guys work out where they need to improve.

    So how about instead of trying to fight a brushfire with an extinguisher, we get to the root of the problem and start educating users. Yes, that takes effort. I can't begin to count the hours I've spent trying to explain to folk why using an alternative browser (or OS or whatever) is a good idea, and what they should look for in a reputable site, and so on and so on ad nauseum. It's a slow process, but the more people that are aware of the risks - and more importantly, the reasons for the risks - the less there potential 'marks' there are for all the script kiddeez, rooters and organised criminals out there.

    And for us on /. - less requests to fix the family computer when we visit at Christmas.

    --
    If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
  8. Re:No "awareness" needed by QuantumG · · Score: 2, Insightful

    No, no, and no.

    The problem is the assholes who take over people's computers to send spam and flood web sites.

    The solution is a well funded police force to hunt them down.

    --
    How we know is more important than what we know.
  9. Re:New Update since i submited this yesterday by Lawn+Jocke · · Score: 2, Insightful

    Next you'll argue that reverse engineering a virus is a violation of the DMCA.

    Bit exaggerated use of a slippery slope metaphor. IANAL but to my understanding, their actions were closer to breaking into somebody's house to steal back your remote control. Not to justify their actions- just clarifying.

    Ill be the first to say it. Who the fuck cares. The problem is being delt with.

    I'll be the first to ask: If you don't give a hoot about this issue, what are you doing in this topic, let alone in the /. community?

    --
    Maybe if this sig is witty or clever enough, someone will love me...
  10. Alternative DNS? by SaDan · · Score: 2, Insightful

    208.67.222.222
    208.67.220.220

    I don't work for OpenDNS, but they've got some nice DNS servers out there for use. http://www.opendns.com/

    Kind of sad, the first thing I thought about when I started reading about this was, "Wow... Who'd a thought you needed TOR to get proper DNS resolution?"

    1. Re:Alternative DNS? by dissy · · Score: 5, Insightful

      I thought OpenDNS was the greatest thing, until I noticed if you type in a URL that isn't valid it doesn't deliver the standard "non-existent domain" return, but instead gives you an OpenDNS search results page. Bleh. I'll stick with running Bind on my own server, thank you. Actually, if you signup for a free account, and add your IP(s) in their dashboard webapp, you can configure all sorts of things, including to return NXDOMAIN on resolution failure.

      I too agree that breaking NXDOMAIN is a bad thing, but OpenDNS at least does let you change this yourself. It just has the wrong default, so to speak.

      I strongly urge you to signup for a free account, and look over their settings available, before you judge.

      -- Jon
  11. Re:No "awareness" needed by ScrewMaster · · Score: 4, Insightful

    I think a well-funded spec-ops team would do even more. Make these guys disappear. I mean, hell, if we're gonna live in a police state, we might as well enjoy a few of the fringe benefits.

    --
    The higher the technology, the sharper that two-edged sword.
  12. Re:New Update since i submited this yesterday by Paradise+Pete · · Score: 3, Insightful
    Ill be the first to say it. Who the fuck cares. The problem is being delt with.

    Vigilante justice - the mark of the civilized man. String 'em up first, ask questions later. Your logic has been used to justify uncountable wrongs.

  13. Re:New Update since i submited this yesterday by geminidomino · · Score: 4, Insightful

    Ill be the first to say it. Who the fuck cares. The problem is being delt with.


    Vigilante justice - the mark of the civilized man. String 'em up first, ask questions later. Your logic has been used to justify uncountable wrongs.

    In all fairness, so has the so-called "Rule of Law."
  14. Re:No, probably not by Mjec · · Score: 2, Insightful

    (b) Diversion of services.--A person is guilty of theft if, having control over the disposition of services of others to which he is not entitled...

    (Emphasis added).

    Yeah, they're entitled to do whatever they want with their DNS servers. You're the one asking them for information. Now, if they were obtaining a financial benefit then it may be obtaining money by deception, or fraud, because they're providing you with false information. It may be a breach of contract, though you'll find it hard to prove that they owe you anything at all. So yeah, there's really nothing wrong per se with what they're doing.

    --
    "But everyone should know everything." -markab
  15. It's not so much about DNS by ShaunC · · Score: 2, Insightful

    Since it sounds like they were doing it with their DNS servers.
    NO!! This goes far beyond DNS and is extremely irresponsible!!

    A DNS response to a widespread bot infection, a worm attack, or other overwhelming threat would be to claim SOA for the offending domain on your network, and resolve the entire domain to 127.0.0.1. Even that's sketchy, but it's what we might call the internet equivalent of Generally Accepted Accounting Principles. I've seen registrars themselves nullroute a domain and in general there's not much objection, because extreme action is only taken in extreme circumstances. That isn't what happened here at all.

    What happened here is that multiple ISPs rerouted legitimate connection attempts to legitimate network servers to their own, pseudo-C&C servers. Through the hijacked connections, they issued commands (in the /topic and directly in the channel) that may alter or remove software installed on the client PC. Now, maybe the client wanted to have SpamBotFoo installed on their computer, and maybe they didn't, but at what point did they give their ISP permission to remove SpamBotFoo from their computer? Since when is it suddenly okay for an ISP to intercept outbound connections from a customer's PC, reroute those communications to a destination of their choice, and knowingly issue commands to software installed on their customer's PC that would alter the contents of said PC, or worse, remove software from it?

    It would certainly not be legal for me, as Joe Blow, to intercept your packets (for any purpose, good or evil), nor would it be legal for me, as Joe Blow, to use those intercepted packets to attempt to "uninstall" software from your computer, regardless of what that software is. Why, then, is it okay for ISPs to do the same?
    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  16. Re:New Update since i submited this yesterday by empaler · · Score: 3, Insightful

    Yeah, because his entire post hinged on that one spelling error that he corrected in a concise and non-derogatory manner that TheRealMindChild might actually benefit from reading.

    Kudos for calling him an asshole - with fucking stars.

  17. Re:New Update since i submited this yesterday by Cederic · · Score: 4, Insightful


    The author of the software is irrelevant. It's my PC, if a company hacks into it and changes it then they're breaking the law.

    That they're using previously installed malware to do so is completely irrelevant to this.

    Can they even demonstrate that I don't know of the existance of that malware? Maybe I installed it myself, maybe I'm monitoring it.

    It's illegal, and they should be prosecuted.

  18. Re:Hijacking, and San Diego Cox Communications by Anonymous Coward · · Score: 1, Insightful

    Well... I do admit, I block all of APNIC to my mail servers, though, I do not service "customers" either That's a joke, right?
    As someone living in the APNIC region (New Zealand), I'm horrified at the thought of someone blacklisting an entire range of IP addresses - some of which I use for my own mail servers, web servers and so forth.
    You're pretty much punishing me for the actions of a others.

    Now yes, granted I may never need to send email to you and I doubt I ever have, but that's not the point - you're hindering any possible communication that might be required on either of our parts.

    If you're blocking because of spam, then maybe you'd be better off blocking ARIN - you have heard that the US is one of the major countries for sending spam, right?
    Or would that just start causing you problems because you'd stop receiving mail?

    You can't justify blocking one range for one reason and not blocking the other for the exact same.
  19. Re:New Update since i submited this yesterday by Fastolfe · · Score: 2, Insightful

    I'm part of an organization that works on disabling botnets together with other people from various irc networks. I do not understand why timewarner did not even bother try to contact us - even though I had contact to their abuse desk long time ago.

    Perhaps they're simply unaware that you exist? I'm sure the people staffing abuse@ are a bit separated from the people making these types of decisions.

  20. Re:New Update since i submited this yesterday by MrPeach · · Score: 2, Insightful

    While I agree in principle, I believe a more prudent approach is:

    1) ISP detects your computer is being used for SPAM/DOS/some other hijacked purpose (and NOT just user behavior problems)
    2) ISP restricts you to a walled garden where your infected machine cannot access the internet - and you are informed as to the cause and action needed from you before access can be restored
    3) you call ISP whining about your internet connection (or skip to step 5)
    4) ISP repeats the information from the walled garden
    5) you clean up your shit, the ISP confirms this and you are allowed back on the internet

    No need for abusive actions against the user. Just put them in internet jail and if they care to get their internet back they need to fix the problem. If the ISP is feeling particularly generous, they can make the tools needed for the cleanup available within the walled garden, otherwise you'll have to call the Geek Squad or something.

    This type of hijacking is 1) not needed, 2) ineffectual against most problems, & 3) non-functional against people like me who use an alternative DNS (openDNS).