02:24 PM
Connect Directly
Repost This

How Best To Break The News To Users That They're A Bot

Georgia Tech researchers study data from DNSChanger botnet to discern the best way for ISPs to clean up bot infections

Turns out last year's massive takedown of the DNSChanger botnet provided a handy case study on the most effective methods of notifying victims and cleaning up their machines. Researchers from Georgia Tech studied the botnet's remediation efforts, which began early last year, and found that phone contact, billing notices, and redirecting infected users to special Web pages are the best ways to alert them to their infections.

At the height of the DNSChanger botnet's life cycle, it had infected 4 million machines worldwide, including Windows and Mac machines. To cut down the botnet, the FBI sinkholed its traffic to temporary DNS servers to prevent a major Internet blackout for the massive number of infected machines. DNSChanger wasn't your typical botnet: It redirected infected machines to its own rogue DNS servers, so when those servers were taken down, the bots would have lost Internet access. So the FBI set up its own stopgap DNS servers during the remediation process, which went on for several months last year.

Georgia Tech researchers Wei Meng, Ruian Duan, and Wenke Lee found in their study of how ISPs handled informing DNSChanger bots that "active" social media updates also helped get bots cleaned up, such as Google's directly alerting users via their browsers that they were infected. "Social media can have an important role to play in alerting users to infections in their systems and in stemming malware outbreaks. We believe in the importance of implementing active, direct notifications earlier in the process," said Lee, who along with his colleagues presented the team's findings this week at the M3AAWG 27th General Meeting in San Francisco.

Online media didn't make much of an impression on victims until a few days before the FBI deadline to shut down the DNS servers loomed, the researchers found. "The 'deadlines' set by FBI had an important role. Google’s direct notifications had positive impact even late in the process," according to the research. "We believe the impact would have been greater if done earlier."

Bottom line: Calling victims by telephone was the most effective notification method, while billing also worked well. Email notification and redirecting victims to custom Web pages for remediation was helpful as well, according to the researchers. And while DNS redirection was the most effective way to prevent bots from communicating with rogue DNS servers, redirection alone is not enough: "DNS redirection alone is not sufficient. Notifications are still needed since machines may still be infected with malware," the researchers wrote in their presentation.

"The industry's response to the DNSChanger malware clearly showed how well competitors and vendors can work together when users' safety is on the line," said Michael O’Reirdan, M3AAWG co-chairman. "It also was an extraordinary opportunity to objectively study the different approaches companies have developed to assist customers and to understand the important role each of us plays in safeguarding the online experience. The active involvement of anti-malware and security tool vendors, social media platforms, law enforcement, operating system vendors and home networking technology vendors has been shown to be crucial. In the end, it takes the entire Internet ecosystem working together to protect end users." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web