Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.

The resulting chat session, as reported to a network administrator mailing list, looks like this:

#martian_

[INFO] Channel view for “#martian_” opened.

–>| YOU (andrew.m) have joined #martian_

=-= Mode #martian_ +nt by localhost.localdomain

=-= Topic for #martian_ is “.bot.remove”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is “.remove”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is “.uninstall”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is “!bot.remove”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is “!remove”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is “!uninstall”

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

<Marvin_> .bot.remove

<Marvin_> .remove

<Marvin_> .uninstall

<Marvin_> !bot.remove

<Marvin_> !remove

Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.

Professor Steven Bellovin wrote that the tactic shows why DNS lookups should be digitally signed to show their authenticity:

If my host expects the response to be signed and it isn’t, my host can scream bloody murder. The whole point of DNSSEC is to prevent random changes to DNS replies, whether by hackers or by ISPs. Yes, they can change it, but they can’t change it without being caught.

IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.

UPDATE: Andrew Matthews, who runs one of the redirected IRC servers, first reported this behavior to the NANOG list and has more info on his own site.

Adam Waters of Support Intelligence gives a hearty thumbs-up:

[I]t can’t be a surprise that the ISP’s have come, at long last, to fixing zombies without customer notification/consent. At this point the threat to the fundamental trust and usability of the network surpasses my privacy, or technical concerns around breaking DNS. Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me. And if it raises awareness around the seriousness of the bot problem I’m all for it.

Sean Donelan, a NANOG regular, tells THREAT LEVEL there’s nothing to see here, really, just a minor glitch with abuse watch lists.