loving the dot com

Administrators of Internet Relay Chat (IRC) servers say they have recently become aware of dropping user counts from certain ISPs, especially TimeWarner owned Cox.net.

It is well known that botnets consisting of large numbers of compromised PCs are becoming more of a problem and are harder to find, harder to fight and harder to destroy. Until recently, the only people who seemed to be doing the fighting against this threat were the producers of anti-virus software. It is then up to the computer administrator, or home user to install this software in an attempt to remove any malicious programs from their system. As more and more viruses and trojans are released every day, this is not as simple as it sounds.

According to a number of IRC administrators, the Internet Service Provider Cox.net seems to have taken this fight away from it’s customers and into its own hands.

Many botnets use the IRC protocol for communication and control, so it makes sense that this is where Cox decided to strike. After administrators of the Ablenet IRC network noticed it’s users disappearing they started investigating the cause and found that a DNS server owned by Cox was returning falsified data and were hijacking DNS entries which caused any legitmate IRC connection to be redirected to a server owned by Cox.

After being redirected to Cox’s server a number of commands are sent to the user. To most users this is uncomprehensible data, but the server is infact issuing commands which attempt to uninstall one particular type of malicious trojan.

By hijacking a user’s connection in this manner, IRC networks are receiving a bad reputation because most connecting users are not aware that their connection has been hijacked. Users are left guessing why they cannot chat with their friends like normal, and aim their frustration toward the administrators of the IRC network. For most home users, avoiding this connection hijacking is not a trivial task.

More recently, administrators from EFnet, the oldest and 4th largest IRC network in the world, which currently holds around 60,000 concurrent users, have also suffered from their DNS entries being hijacked by Cox.

At present there are no laws in the United States to stop Cox, or other ISPs, hijacking and falsifying DNS entries, however the borderline on actually cleaning trojans automatically is much more vague. In the United Kingdom it is a definite breach of the Computer Misuse Act for any system or user to perform ‘Unauthorised Modification’ of another computer system. By issuing commands to a user’s PC without their prior consent, this is exactly what Cox appears to be currently doing.

One thing is for certain, with all the current emphasis on Net Neutrality laws in the United States, Cox may have very effectively demonstrated why so many people are campaigning to see it become a reality.