Tuesday, July 24, 2007

COX Communications HiJacking DNS

Recently while perusing the interweb, I came across the following article; "ISP Seen Breaking Internet Protocol to Fight Zombie Computers". The short of this article is that Cox Communications is attempting to remove bots from customers PC's by way of redirecting infected systems (by way of hijacked DNS records) to a c&c server that they control and issue standard bot uninstall commands to said bots. While I think that this is conceptually a good idea, I foresee several issues with it.

By design, bots are built with some level of security concerning who can issue commands to them, as noted in my previous blog about the disassembly of the RxBot, not to mention the differing commandsets that are built into them. Couple this with the new Fast-Flux Service Networks that we are starting to see and this method that Cox is attempting becomes an all but futile effort.

I am also curious where they are obtaining their list of c&c servers from. Perhaps off of the c&c list that Shadowserver.org maintains, or from another location? How do they filter out good IRC traffic from bad IRC traffic on public IRC servers that may have been listed as being a c&c in addition to a legitimate IRC server. From the looks of the article, they don't and this poses an issue by way of blocking legitimate IRC traffic for those that connect to those servers.

A brief list of commands issued:
[INFO] Channel view for “#martian_” opened.

-->| YOU (Drew) have joined #martian_

=-= Mode #martian_ +nt by localhost.localdomain

=-= Topic for #martian_ is “.bot.remove”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM

=-= Topic for #martian_ is “.remove”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM

=-= Topic for #martian_ is “.uninstall”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM

=-= Topic for #martian_ is “!bot.remove”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM

=-= Topic for #martian_ is “!remove”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM

=-= Topic for #martian_ is “!uninstall”

=-= Topic for #martian_ was set by Marvin_ on Monday, July 23, 2007 9:50:03 AM


.bot.remove


.remove


.uninstall


!bot.remove


!remove


I would also like to review their customer agreement and see if it indeed gives them the authorization to remove files / uninstall things from the end-users computer. Granted the goal is to remove malware; but what if I have been infected by just such malware and need to glean some information, such as what exactly exfiltrated my system? What if I am a business owner and my system contains information that is sensitive to myself, my business or my clients and I need to know what data exfiltrated my network so that I know what corrective or legal measures need to be taken?


All of this said, they also did not notify anyone that they were effectively hijacking DNS records, this somewhat gets back to my second point concerning legitimate IRC traffic that was obviously interupted enough to cause investigation into the matter. This further investigation is what led to the discovery of said hijacking, more here: http://www.exstatica.net/hijacked/

To my mind, the concept was an interesting one albeit innefective but the execution was absurd from unauthorized software removal down to DNS hijacking. This makes you wonder what else they are doing that has not yet been discovered.

Cheers,
JJC

No comments: