Operation Ghost Click/DNSchanger dismantled a long running criminal exploitation of the domain name system. As the name of the malware suggests, DNSchanger interfered with the expected and intended behavior of domain name resolution by causing the DNS to return different IP address information when Internet users try to resolve certain domain names from the addresses the owner of the domain name intended. In the case of DNSchanger, the false information returned enabled criminals to defraud Internet advertisers (click ad or pay per click), collect bogus credit card payments, and prevent users from updating or patching security software (See Gary Warner's post for an excellent, detailed analysis).
The criminal intent of the actors here is quite apparent. DNSchanger forces the DNS to tell lies, very black lies.
Other actors change the DNS in similar ways.
Service providers who use error resolution services modify and return synthesizedresponses to DNS requests when domains do not exist (NXDOMAIN). Whether you call these responses synthesized, conjured, or "made up," they are at best grey lies for several reasons. While certain Internet users may benefit from a helpful positive response over a non-existent domain, the registered domain name holder has no control over what this response looks like and does not profit from any proceeds resulting from the redirection.
Recent bills under consideration in the US Congress - S.968 ProtectIP and H.R.3261 SOPA -contain provisions for the DOJ to issue court orders that compel DNS operators to (i) block resolution of domains that are allegedly associated with online piracy and brand infringement (ii) return synthesized responses, a.k.a., a Text of Notice, stating that "an action is being taken [against the domain name owner] pursuant to a court order obtained by the Attorney General".
Supporters of these bills believe that these synthesized responses are white lies. Those who oppose the bill see them as grey or black. Respected members of the Internet technical community note in a white paper that blocking (DNS filtering) creates serious security and operational problems and is easily circumvented. Others worry
that the bill overreaches in defining wrongdoing and may easily be abused. Opponents and supporters argue over whether due process protections are upheld or set aside in the interestof protecting copyrights and IP.
What Color is Your Lie?
Comparing how DNSchanger, error resolution services, and Protect IP/SOPA affect users and the DNS sheds some light on why deciding whether redirection is a black, grey or white lie is not a simple matter of black and white.
|DNSchanger||Yes||To ad fraud or malicious pages|
|Error Resolution||Yes||To ad or landing pages|
|ProtectIP/SOPA||Yes||To a notice page, text determined by US AG|
|Control over Redirection||Discussion|
|DNSchanger||Criminal||Specific domains are targeted, domain registrant is often unaware that redirection is occuring|
|Error Resolution||3rd party||"Non-existent domain" responses (user sees "page not found), domain name registrant has no control over landing page content or security|
|ProtectIP/SOPA||US AG||Domains identified in court order, registrant has no control over landing page content|
|DNSchanger||No||Criminals want malware to operate unobtrusively|
|Error Resolution||Not assured||Certain error resolution affiliates may provide notice|
|ProtectIP/SOPA||No||US AG may block or sinkhole rather than redirect domain|
|Error Resolution||Yes||Error resolution provider or affiliate(s) profit|
|Infection from DNS changed sites|
|DNSchanger||Possible||If criminals redirect to affiliate that hosts malicious executables|
|Error Resolution||Possible||If criminals hack site to which users are directed|
|ProtectIP/SOPA||Possible||If criminals hack site to which users are directed (no site is immune to attack)|
|Affect on DNSSEC|
|DNSchanger||Bypass||The endpoint is compromised, and the malware points the client application to a different resolver that returns different data than requested.|
|Error Resolution||Disruptive||A DNSSEC-enabled resolver that does its own validation will not accept a redirected response nor will it trust an unsigned NXDOMAIN.|
|ProtectIP/SOPA||Disruptive||A DNSSEC-enabled resolver that does its own validation will not accept a redirected response. Indistinguishable from error resolution or other kinds of redirection.|
|Remedy: mitigation, circumvention, bypass|
|DNSchanger||Not assured||Like all infections, the only certain remedy is to wipe clean and reinstall from scratch|
|Error Resolution||Not assured||Some providers may offer opt-out to user|
|ProtectIP/SOPA||Prohibited||Attempts to circumvent may cause US AG to seek injunctive relief|
One final example of redirection may lend clarity to the discussion. Organizations that have been phished work with security professionals, law enforcement to identify malicious registrations or compromised servers where phish URLs are hosted. They work in cooperation, often with court orders but always with sufficient evidence of criminal activity that false positives are rare. Once phishing sites are taken down, organizations are encouraged to redirect would be victims to a APWG Phishing Education Landing Page. This is done at the discretion or direction of the phished organization, with full understanding and consent to the content and security of the landing page.
The process is not always as expedient as victims and victimized brands would like, but it is effective and it can be implemented in a manner that doesn't break DNS security, infringe on free speech or abuse due process. But rather than propose bills out of frustration, isn't it worth considering how to improve and accelerate processes that are working, and to consider ways to make them scale and work smoothly, internationally?
Thanks to Steve Crocker, Joe St. Sauver and Paul Vixie for sanity checks and valuable input.