TimeWarner DNS Hijacking

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

New Update since i submited this yesterday

[Exstatica]

Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired [wired.com]. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ [exstatica.net] as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.

TimeWarner != Cox

[OverlordQ]

While Cox used to use Time Warner's RoadRunner for their cable internet service, Cox's Internet offerings are In-House now.

Re:What???

[Martin Blank]

Actually, if you can get past the first level of drones (and sometimes the second level, depending on the company), you'll talk to people who know not only what a packet is, but also can do actual troubleshooting on the modem connection and make some sense of it. I've experienced this with Comcast, Adelphia, and Time-Warner (it was completely absent, so far as I could tell, from MediaOne when they were around); in one case, I got a very thorough explanation of the problem as it related to head-end equipment and what needed to be done to fix it from the tech as she was entering it into the work order.

The problem, of course, is that almost all users that call in don't need more than scripted hand-holding, and those of us that know what we're talking about call in and hit that wall, through which it can be very difficult to find an open window through which to crawl to find a knowledgeable person.

Comment removed

[account_deleted]

Comment removed based on user account deletion

This has been going on for TWO years

[Pap22]

http://secureme.blogspot.com/2005_06_01_archive.ht ml/ [blogspot.com]

Scroll down to the very bottom of that page. Notice the date.

Re:crackz.ws dns

[Technician]

it redirects to a "Scam Blocked" page...

If you don't like the Cox DNS results, feel free to put another DNS server in your router or computer. Switch from dynamic DNS to static DNS and use some of the public DNS servers.

Here is a good place to start..
http://www.opennic.unrated.net/public_servers.html [unrated.net]

Re:No, probably not

[stonecypher]

The law doesn't seem to agree with you. From the thing you didn't read: (b) Diversion of services.--A person is guilty of theft if, having control over the disposition of services of others to which he is not entitled, he knowingly diverts such services to his own benefit or to the benefit of another not entitled thereto. Whether that benefit is monetary doesn't seem to matter.

It turns out that when you're a telecommunications provider, there are a whole bunch of laws to the effect of "you can't divert or compromise the telecommunications you're selling."

Re:New Update since i submited this yesterday

[Anonymous Coward]

Time Warner was not the one doing "#badbotbad" -- AOL was/is. Additionally, it forced all bots into that channel *in addition* to the preprogrammed channel(s). They "null route" on the ATDN usually, but from time to time they would "next hop" the traffic to standalone server running a modified ircd.

The "#badbotbad" topic was rotated frequently amongst the most common bots/variants. The specific channels had their topics set according to the most common bot using that channel at the time.

Finally, a nickserv was established to preregister certain nicks and masks to deter "real" bot herder/owners from signing on to take back control. A script then slammed in to the server with the registered nick(s) sending the appropriate kill commands.

Sometimes it worked, and sometimes it didn't.

Transcript of IRC

[simpleguy]

[ simple1 @ saturn ] ~ $ dig @ns1.dc.cox.net irc.mzima.net
irc.mzima.net. 300 IN A 70.168.70.4

Connecting to 70.168.70.4 (70.168.70.4) port 6667.

[JOIN] You are now talking on #martian_
[MODE] localhost.localdomain sets mode +n #martian_
[MODE] localhost.localdomain sets mode +t #martian_
[TOPIC] Topic for #martian_ is .bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007 .bot.remove .remove .uninstall
  !bot.remove
  !remove
  !uninstall

Thats it.

The Golden Rule

[BillGatesLoveChild]

OP asks "Is this the right way to handle the botnet problem? Is hijacking DNS legal?""

A good question. Let me check for you.... Hang on... looking up Time Warner's Bank Balance. Uh huh... HOLY COW!

In answer to your question, yes, DNS hijacking is most definitely legal.

Re:New Update since i submited this yesterday

[Anonymous Coward]

While I agree that ISPs should be doing something against botnet and trojan problems, this is not the way to go for several reasons.
First of all, redirecting traffic or manipulating dns replies for sites/domains/servers you do not own is a legal no-go for ISPs and ICPs of any kind. It opens up the possibility of man-in-the-middle attacks and also very much is against the idea of the Internet itself.

Second, timewarner did not only redirect connections to EFnet, they also didn't bother to contact neither their users nor EFnet about this. EFnet had to deal with all those complaints - which they could not handle as it wasn't their fault.

Third, timewarner chose a concept that is bound to fail. One cannot just redirect IRC traffic for a random IRC server. While there's botnets that use standard ports ofc, most botnets either use private irc servers (installed on cracked machines) and/or non-standard ports. And as the OG said, they are moving to other ways of communication. As for EFnet, TW should have told the staff that they suspected a botnet and give details. This would have been way more efficient and not just annoy all affected (and possibly not even infected) users.

Fourth, as I've seen details about timewarner's actions, they're trying to run different uninstall commands on the possibly infected machines. They'd either need to exactly know which command it'd take or test all of them while risking that the infected machine will detect this overtake procedure and go into a "safe mode" or disconnect again.

If I went to summarize this up: The idea isn't that bad, but it's bound to fail as botnets and IRC do not work the way they think.

PS: I'm not an EFnet representee, but I'm part of an organization that works on disabling botnets together with other people from various irc networks. I do not understand why timewarner did not even bother try to contact us - even though I had contact to their abuse desk long time ago.

Re:Since when is Cox = Time Warner?

[makomk]

The answer is, both are doing it. Apparently, there are different techniques - one lot is using forged DNS responses to redirect connections to their own server, and the other is intercepting packets to port 6667 on certain IP addresses and sending them to their own server.

Re:New Update since i submited this yesterday

[Curien]

Can they even demonstrate that I don't know of the existance of that malware? Maybe I installed it myself, maybe I'm monitoring it.

Then you violated your TOS and were on their network illegally.

It's your PC, but it's THEIR network. They have the right to defend their network and the obligation to protect other people using it. I'd even bet their TOS authorizes this kind of behavior.

This is the ISPs fault

[humankind]

I find it ironic that Time Warner is going at this from the wrong end of the problem. If they filtered port 25 traffic from broadband DUL space, the spammers wouldn't be interested in invading their customers' machines. It's almost always about spam. The fact that most of these ISPs do little to stop their customers' machines from being zombied, or anything to reduce the viability of them being exploited, shows how much they really care about the customers. All broadband ISPs should now be filtering SMTP traffic on their networks. Anyone that wants to run their own mail server can set up alternate ports and use special IP space designated for SMTP traffic. This would make the botnets obsolete.