An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.
Is it ethical? Should they be doing this to their users?
I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.
You can read that e-mail here:
Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.
Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (188.8.131.52). That server then sends commands to the computer that attempt to remove malware.
They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.
IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.
Freenode is pretty happening for open source projects though.
Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.
IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.
Interesting stuff eh?
I’m not really sure where I stand ethically on this…what about you?
Source: Wired Blog
- Windows Registry Infecting Malware Has NO Files
- FakeNet – Windows Network Simulation Tool For Malware Analysis
- Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP
- ddosim v0.2 – Application Layer DDOS Simulator
- Hackers Attack Root Servers and Slow Internet Key Traffic
- ArpON v2.2 Released – Tool To Detect & Block ARP Spoofing
Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,294 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,444 views
- US considers banning DRM rootkits – Sony BMG - 44,926 views