How Best To Break The News To Users That They're A BotGeorgia Tech researchers study data from DNSChanger botnet to discern the best way for ISPs to clean up bot infections
Turns out last year's massive takedown of the DNSChanger botnet provided a handy case study on the most effective methods of notifying victims and cleaning up their machines. Researchers from Georgia Tech studied the botnet's remediation efforts, which began early last year, and found that phone contact, billing notices, and redirecting infected users to special Web pages are the best ways to alert them to their infections.
At the height of the DNSChanger botnet's life cycle, it had infected 4 million machines worldwide, including Windows and Mac machines. To cut down the botnet, the FBI sinkholed its traffic to temporary DNS servers to prevent a major Internet blackout for the massive number of infected machines. DNSChanger wasn't your typical botnet: It redirected infected machines to its own rogue DNS servers, so when those servers were taken down, the bots would have lost Internet access. So the FBI set up its own stopgap DNS servers during the remediation process, which went on for several months last year.
Georgia Tech researchers Wei Meng, Ruian Duan, and Wenke Lee found in their study of how ISPs handled informing DNSChanger bots that "active" social media updates also helped get bots cleaned up, such as Google's directly alerting users via their browsers that they were infected. "Social media can have an important role to play in alerting users to infections in their systems and in stemming malware outbreaks. We believe in the importance of implementing active, direct notifications earlier in the process," said Lee, who along with his colleagues presented the team's findings this week at the M3AAWG 27th General Meeting in San Francisco.
Online media didn't make much of an impression on victims until a few days before the FBI deadline to shut down the DNS servers loomed, the researchers found. "The 'deadlines' set by FBI had an important role. Google’s direct notifications had positive impact even late in the process," according to the research. "We believe the impact would have been greater if done earlier."
Bottom line: Calling victims by telephone was the most effective notification method, while billing also worked well. Email notification and redirecting victims to custom Web pages for remediation was helpful as well, according to the researchers. And while DNS redirection was the most effective way to prevent bots from communicating with rogue DNS servers, redirection alone is not enough: "DNS redirection alone is not sufficient. Notifications are still needed since machines may still be infected with malware," the researchers wrote in their presentation.
"The industry's response to the DNSChanger malware clearly showed how well competitors and vendors can work together when users' safety is on the line," said Michael O’Reirdan, M3AAWG co-chairman. "It also was an extraordinary opportunity to objectively study the different approaches companies have developed to assist customers and to understand the important role each of us plays in safeguarding the online experience. The active involvement of anti-malware and security tool vendors, social media platforms, law enforcement, operating system vendors and home networking technology vendors has been shown to be crucial. In the end, it takes the entire Internet ecosystem working together to protect end users."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio