26 July 2007 | 7,659 views

TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks

Prevent Network Security Leaks with Acunetix

An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.

Is it ethical? Should they be doing this to their users?

I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.

You can read that e-mail here:

Major ISPs arbitrarily blocking IRC and hijacking DNS entries

Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.

They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.

IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.

Freenode is pretty happening for open source projects though.

Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.

IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.

Interesting stuff eh?

I’m not really sure where I stand ethically on this…what about you?

Source: Wired Blog



Recent in Malware:
- Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP
- Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet
- Hook Analyser 3.1 – Malware Analysis Tool

Related Posts:
- ddosim v0.2 – Application Layer DDOS Simulator
- Hackers Attack Root Servers and Slow Internet Key Traffic
- ArpON v2.2 Released – Tool To Detect & Block ARP Spoofing

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,291 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,440 views
- US considers banning DRM rootkits – Sony BMG - 44,924 views

Low-cost VPS Hosting

20 Responses to “TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks”

  1. Ian Kemmish 26 July 2007 at 11:22 am Permalink

    What is there not to be sure about? Everyone, all the time, has a duty to prevent crime by any non-violent means available to them. The only criticism which might conceivably be levelled is if they are not making reasonable efforts to inform the owners of the compromised machines that they have been compromised, and what action is about to be taken.

  2. Sandeep Nain 26 July 2007 at 11:53 am Permalink

    As far as they are just “cleaning the infected computers” its all ethical… although it might be against the “privacy laws” in some countries…

    but definitely its a nice effort and a big step in making the wild wild web a better place…

  3. fantr 26 July 2007 at 12:04 pm Permalink

    Wait until they get NAC actually working. It will eventually scale to ISPs, im sure of it.

    and as far as it being ethical, i guess that would be a matter of opinion. I certainly would not want some outside party scanning my computer for “viruses” or anything else for that matter. Not only does it become a privacy issue, but many of my tools show up as malware (cain, brutus, etc), and so I have to configure my AV software to scan around certain directories.

    How do you know what is being logged and or what they are doing with the information? If this is being done without consent, i’d say it is not only unethical but illegal, after all, they are altering the files on your pc if they find something, Correct? How is that any different from me altering files on someone else’s computer that I feel may bring me harm (like a bad report)?

  4. moons 26 July 2007 at 12:27 pm Permalink

    Tricky question, but to those who are infected, to some sense, its good for em, but to those who aren’t, its like invasion of privacy that they’re actually scanning your pc and who knows?

    Maybe some guy in the isp find it as a good way to probably insert some extra something in?

    Personally i wouldn’t like it having isp doing such things, its like, them trying to be the major guard of computers but then again, who’s going to guard what they do?

    quis custodiet ispos custodes

  5. Cyanide 26 July 2007 at 1:03 pm Permalink

    Well,

    In my opinion, Cox has come up with a very clever and positive way to clean up botnets that they know about. And to what i’ve read in this article and what I know about botnets from research, Cox isn’t actually violating anyones privacy in the sense of being able to access information on that customers machine.

    How it sounds like they are executing this plan is that, to begin with they redirect the client IRC session to that of their own IRC server. When the client connects to their IRC server and joins a channel, Cox’s IRC server will have a automated channel bot that will start issuing commands in the channel that the user is in. Alot of bots that I know of have commands built into them that will uninstall themselves from the infected machine. In no way with this approach, is Cox actually accessing any type of information on that infected box. They are just issuing commands inside of the IRC channel that the customer has been redirected to. I could be wrong but this sounds like the way they are doing it.

    The only thing that is kinda on the edge is them changing their own DNS records, but I highly doubt they will sue or press charges on themselves for Cache poisioning their own dns servers ;)

  6. SN 26 July 2007 at 1:43 pm Permalink

    what is wrong with what they are doing?

  7. Cyanide 26 July 2007 at 2:03 pm Permalink

    SN: Nothing really, I like the idea!

  8. Nobody_Holme 26 July 2007 at 2:04 pm Permalink

    Changing DNS records = veery stupid idea.
    If you can do it for this and get away with it, why not just direct porn to your own advertising pages, or a sponsor’s? (not that i like that idea, mind)
    if i ever spot myself being redirected away from an IRC channel, i’ll be getting a new DNS now.

  9. moons 26 July 2007 at 2:29 pm Permalink

    Yea i know about those bots having uninstallation commands, though a lot of them nowadays have removed them from the source before compiling.

    What then if just sending the command doesn’t work? Are they gonna result to more serious actions like running some sort of script or probe?

    Just my opinion.

  10. backbone 26 July 2007 at 6:34 pm Permalink

    privacy should be protected. I see no ethical action in what the ISP has done, if they want to trim down the number of irc bots they should do free security support for there clients…

  11. CK76 26 July 2007 at 8:22 pm Permalink

    LAME. Anyone heard of a slippery slope? Pretty soon they’re going to be redirecting dns requests for websites they deem bad…probably “hacking” sites like this one.

  12. backbone 26 July 2007 at 10:22 pm Permalink

    i think that would be the case for countries like germany and there new laws…

  13. Sandeep Nain 27 July 2007 at 12:16 am Permalink

    I am sure according to ‘australian privacy laws’ it will be considered unethical too…

  14. moons 27 July 2007 at 12:33 am Permalink

    Yep, thats just it, sooner or later, they’ll end up redirecting all traffic from websites they “deem” bad, and then again, who’s actually supposed to deem what they deem is bad as really bad?

    Becomes sort of like china where they block a lot of sites, and shut down political debates online, so theres no longer freedom of speech. Its just an inch away from the start of redirecting traffic of IRC servers to their own server just because they try to combat with the amount of infected botnets pc.

  15. Sandeep Nain 27 July 2007 at 12:47 am Permalink

    I don’t think they gonna start re-directing the traffic and change the DNS entries. im aure they are not such fools… in the end they are just an ISP and not a government who decides what people can/can not access.

    and they are running a business… so they know if they start doing it they will loose a hell lot of business.

  16. TheRealDonQuixote 27 July 2007 at 1:22 am Permalink

    I wonder if this has something to do with the latest P2P reconstituting w32.storm.worm? Its really a trojan that adds your PC to a bot net. Somebody has been sending vareints since last x-mas and the bot net must be HUGE by now. I wonder if this is an attempt at blocking any more DoS attacks from STORM. Anyone know anything? Its the longest sustained attack in two years. Good thing I’m all Linux now.

  17. Saso 27 July 2007 at 6:11 am Permalink

    A lot must have changed in the past 5 years if such activity is not only seriously considered by ISPs, but also acted upon. I wonder what their General Counsel thought of this idea, because it means that Cox is now not only a provider of connectivity – a common carrier – but is also actively managing its users’ security.

    The biggest problem in the past was that once ISPs cross the line and start actively managing users’ security, they can, and will be, held liable for anything that their controls miss. This IRC redirection sounds to me like something that was conjured up by techos and didn’t get proper level scrutiny from legal eagles.

  18. backbone 27 July 2007 at 3:16 pm Permalink

    TRDQ: if what you suppose it is true, than why haven’t we seen any DDoS attacks on large networks (as we all know the most of the bots belong to script kiddies).

    But if you’re right than probably we’ll see some slow down of large websites, or total “annihilation” of home made web servers =)

  19. spenser 6 December 2008 at 11:19 am Permalink

    Any person who has administered or used a server that was the target of a ddos would welcome these measures.

    It is just another form of null routing. Only rather than the carrier network null routing the victim, the isp is null routing the attack mechanism. Somewhere along the line, packets go awol. Better the attacker than the victim.