DNSChanger Aftermath: Should We Ban The Diseased?

At the end of the DNSChanger saga, Tom Brewster asks if infected machines should be banned from the Internet

The DNSChanger saga has been well-documented, with today marking the climax of the drawn-out crescendo of panic. It was always going to be anticlimactic though, as no cataclysmic fallout has yet emerged since the FBI pulled the plug on the temporary DNS servers that once helped run the DNSChanger botnet.

As the cacophony subsides, the community can start looking back at the DNSChanger story, firstly as a massive success for law enforcement in their ongoing fight against cyber crime. Not only was a $15 million scam shut down, but arrests were made. As for the dismantling of the infrastructure, the FBI did a fine balancing job, accepting it had to give people time to disinfect their computers, whilst pushing on with the complete removal of the dirty DNS servers.

But as the final nail in DNSChanger’s coffin is hammered down, a key question has to be asked: should disease-ridden machines be banned from the internet? No, those infected with DNSChanger were not a major threat to other web users, and they were not cut off because they were a danger. But those who fail to rid their machines of malware after months of warning, and those who don’t protect their systems with adequate software, are a risk to others. That’s largely because they help make up botnets that continue to cause such massive financial damage to individuals and businesses alike.

Microsoft madness?

Back in 2010, Microsoft backed the idea of forbidding infected computers from accessing the Web. It proposed a system where any computer containing malicious kit would be placed in quarantine, prevented from accessing the Internet, until it received a “health certificate”. That would help stop botnets forming into megalithic collections of diseased computers.

Botnets tend to propagate by forcing infected machines to spam others with messages attempting to dupe recipients into downloading malware. That’s either done by pushing malicious attachments to the recipient, or by tricking them into going to a specially-crafted site that initiates a malware download on arrival (otherwise known as a drive-by attack). If users can’t connect to the Web, this can’t happen.

“Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society,” said Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing division, at the time.

“In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.”

An unworkable idea

Charney’s idea is an admirably radical one. The health of the Internet does need a boost, and requires bold measures to improve it. But banning infected devices is also close to unworkable.

Such a project would require an independent organisation to check every machine to see whether they are protected by adequate security software, whilst ISPs would have to stop victims heading onto websites that had somehow flagged they didn’t want to allow dirty users. A major transition would therefore be needed – one that all parties involved in the Internet would have to accept. “It would be a nice idea for the Internet as a whole, but I can’t see how it would work,” says Professor Alan Woodward,  from the computing department at the University of Surrey.

“Unfortunately, it isn’t yet possible. To cut-off computers now would cause far too many support calls,” adds F-Secure’s Sean Sullivan.

There remain other almost insurmountable technical challenges in determining which systems are infected. What entity takes control of checking machines and how are they going to gain access to systems to scan them? And how about getting around the dispersion of IP addresses?

“Diagnosis of the presence of malware based on an IP address presents huge problems where addresses are dynamic, or gateway addresses used by multitudes of users,” David Harley,  senior research fellow at ESET, tells TechWeekEurope. “Even a MAC (Media Access Control) address, while unique to a network interface, isn’t granular enough. You’re likelier to pick up an ID that belongs to a gateway server than your are that of an individual infected machine.”

But if the Internet does need some new armour, and we can’t stop all infected machines coming online, what effective treatment can be applied? For a start, users should take on more responsibility, Woodward argues. Perhaps they should even be liable when serious financial damage is caused as a result of their carelessness, he says.

“Ask yourself whether someone who is the source of spreading a virus (albeit unintentionally) should be liable for the damage they cause.  In most walks of life you would say they are liable,” he says. “Indeed, in many parallel situations that duty of care extends to the point where if someone does not exercise a reasonable level of care then they can be sued for the financial loss suffered. I think we are either at that point or very close to it with use of the Internet.”

ISPs have the answer

Although users do need to play their part, pressure is rightly being heaped upon ISPs to step up to the plate. It is they who have the power to more effectively determine which machines are infected and then apply the right measures.

They could work with one another to a establish a two-tier Internet, which would see safe users sent to a serene “walled garden”, whilst others would have to roam about in a dangerous jungle. But that would require even more dramatic changes to the infrastructure of the Web than banning the diseased from getting online.

A more pragmatic approach is therefore needed. ISPs should more actively disinfect victims and subsequently educate them, according to one expert. “Cutting people off is a step too far and it would benefit Microsoft as many would buy new machines rather than clean up their old ones,” claims Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory. Instead, a “serious effort” to get customers clean is the better option, Anderson says.

In the US, Comcast is particularly proactive in this respect, working with security firms to identify bots, checking for malicious activity like spamming or denial of service attacks, and then accumulates the data to determine whether to alert a customer. It then offers assistance in removing the relevant malware.

In the UK, some ISPs are taking baby steps in the right direction. Last June saw Virgin Media work with the Serious Organised Crime Agency (SOCA) to warn 1500 people that their machines were infected with the SpyEye Trojan. Virgin also offered to remotely identify and eliminate problems.

Encouragingly, ISPs are at least espousing a keenness to make the Internet safer. “Most of the major ISP partners we work with our interested in building better quarantine gardens to help their customers detect threats and to clean-up their computers,” Sullivan says.

Yet whilst DNSChanger should open up the debate again, placing additional pressure on the likes of BT in the UK, Harley isn’t convinced ISPs will foot the bill for significant changes. “I suspect that most providers will simply assume that the problem is too intractable, and that the cure is likely to be worse – or at any rate, less popular and more expensive – than the disease.”

Passionate about IT security? Try our quiz!