Feeds

Telstra to DNS-block botnet C&Cs with unknown blacklist

What could possibly go wrong other than a C&C net sharing your colo barn's IP address?

Internet Security Threat Report 2014

Telstra is preparing to get proactive with malware, announcing that it will be implementing a DNS-based blocker to prevent customer systems from contact known command-and-control servers.

The “malware suppression” tool will will be introduced at no cost for fixed, mobile and NBN customers using domestic broadband and Telstra Business Broadband services.

The service is using a command-and-control address list sourced from an unnamed Californian partner, and the carrier maintains that it won't be recording users' browsing history.

However, there seems to be a little confusion between different arms of the carrier as to how the malware suppression service works. Here's how the promotional blog post discusses the technology:

“Because the malware suppression technology only observes DNS queries and not internet traffic, no internet search history, browsing data or any other customer data is recorded, retained or sent to a third party.”

(Vulture South notes that the last time we looked, DNS queries travelled over the Internet. We therefore conclude that Telstra is trying to reassure customers that the content of their browsing is not examined.)

In its support Q&A, the carrier states:

“We do not retain a record of legitimate DNS queries made by your computer and those legitimate queries will be unaffected by the new malware suppression” (emphasis added).

As the same page notes, if the carrier has reason to query (sorry) a DNS query, it will fire off a query to California:

“At times, the DNS server may notice a pattern of queries from a number of different users which looks suspicious (for example, why would a real user try to go to a domain like qwe54fggty.dyndns.biz?). In this case, information about the suspicious target domain might be sent to our partner in California to examine whether the domain is a botnet or command & control server.”

However, it states, in requesting that a domain be examined by its blacklist supplier, it will not pass on any information to identify the user or users trying to contact that domain.

In response to The Register's questions, a Telstra spokesperson provided this statement:

"We are introducing malware suppression technology to the Telstra BigPond Network to help improve safety and security of the internet for our customers. We have developed the upgrade to our network with a technology partner, a firm based in the United States. The malware suppression technology does not look at any content our customers are sending or receiving, rather it prevents our customer's computers from being controlled by Command and Control servers. The malware suppression service being deployed on the Telstra BigPond Network works on DNS queries only going to verified Command and Control servers."

Which is likely to be all very well and good, until some poor sap finds their IP address lives on a server also occupied by a C&C server. Such a scenario is not beyond the realms of possibility: in may 2013 Australia's de facto internet filter blocked access to hundreds of sites when the intention was to block just one. Telstra must be hoping its un-named source of C&C systems doesn't make the same mistake. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.