02:24 PM
Connect Directly

How Best To Break The News To Users That They're A Bot

Georgia Tech researchers study data from DNSChanger botnet to discern the best way for ISPs to clean up bot infections

Turns out last year's massive takedown of the DNSChanger botnet provided a handy case study on the most effective methods of notifying victims and cleaning up their machines. Researchers from Georgia Tech studied the botnet's remediation efforts, which began early last year, and found that phone contact, billing notices, and redirecting infected users to special Web pages are the best ways to alert them to their infections.

At the height of the DNSChanger botnet's life cycle, it had infected 4 million machines worldwide, including Windows and Mac machines. To cut down the botnet, the FBI sinkholed its traffic to temporary DNS servers to prevent a major Internet blackout for the massive number of infected machines. DNSChanger wasn't your typical botnet: It redirected infected machines to its own rogue DNS servers, so when those servers were taken down, the bots would have lost Internet access. So the FBI set up its own stopgap DNS servers during the remediation process, which went on for several months last year.

Georgia Tech researchers Wei Meng, Ruian Duan, and Wenke Lee found in their study of how ISPs handled informing DNSChanger bots that "active" social media updates also helped get bots cleaned up, such as Google's directly alerting users via their browsers that they were infected. "Social media can have an important role to play in alerting users to infections in their systems and in stemming malware outbreaks. We believe in the importance of implementing active, direct notifications earlier in the process," said Lee, who along with his colleagues presented the team's findings this week at the M3AAWG 27th General Meeting in San Francisco.

Online media didn't make much of an impression on victims until a few days before the FBI deadline to shut down the DNS servers loomed, the researchers found. "The 'deadlines' set by FBI had an important role. Google’s direct notifications had positive impact even late in the process," according to the research. "We believe the impact would have been greater if done earlier."

Bottom line: Calling victims by telephone was the most effective notification method, while billing also worked well. Email notification and redirecting victims to custom Web pages for remediation was helpful as well, according to the researchers. And while DNS redirection was the most effective way to prevent bots from communicating with rogue DNS servers, redirection alone is not enough: "DNS redirection alone is not sufficient. Notifications are still needed since machines may still be infected with malware," the researchers wrote in their presentation.

"The industry's response to the DNSChanger malware clearly showed how well competitors and vendors can work together when users' safety is on the line," said Michael O’Reirdan, M3AAWG co-chairman. "It also was an extraordinary opportunity to objectively study the different approaches companies have developed to assist customers and to understand the important role each of us plays in safeguarding the online experience. The active involvement of anti-malware and security tool vendors, social media platforms, law enforcement, operating system vendors and home networking technology vendors has been shown to be crucial. In the end, it takes the entire Internet ecosystem working together to protect end users." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.