DNSChanger IP address standoff a legal lesson for botnet fighters

The response to DNSChanger malware achieved unprecedented cooperation across the globe, but an ongoing scuffle over takedown procedures highlights challenges for future coordinated US-European take-downs.

This week European IP address registry RIPE NCC reallocated two IP address blocks previously used by Rove Digital, the Estonian company charged with operating a large click fraud operation associated with the DNSChanger malware.

The Netherlands-based registry last November “locked” four IP address blocks to prevent registration details being altered and meet an order by the Dutch Public Prosecution at the behest of the FBI, which was running “Operation GhostClick”.

RIPE this January opted to “unlock” those blocks and last week reallocated them, surprising some in the DNSChanger Working Group (DCWG), which spearheaded the global DNSChanger cleanup.

“Once [RIPE NCC] had locked the blocks we figured they would sit on them. That was the assumption,” Barry Greene, a contributor to DCWG and the former president and CEO the Internet Systems Consortium (ISC) told CSO.com.au.

“There’s a lot of irritated people right now,” he said, including in law enforcement, security researchers and the internet industry.

For a year until July 9, ISC was responsible for DNS servers that connected to those IP blocks to ensure DNSChanger victims could continue connecting to the internet.

Greene said there is a risk the reallocated IP address blocks could be used by their owners to hijack the computers of DNSChanger victims, but noted that in practice this is unlikely since they’re filtered by nearly all major service providers.

The bigger threat he sees is to other groups working on disrupting malware with a much larger cost to society, such as Zeus.

“My concern is how other working groups I’m not a part of [will be affected] -- and there’s a lot of them out there who are working on cyber criminal operations that have a bigger economic impact against society,” Greene told CSO.com.au.

RIPE NCC is heading to court in November to clarify whether it needs to comply with the type of order it initially faced. Pending the outcome, the next group that wants to achieve a similar result may need to request a tougher order from Dutch authorities to confiscate relevant blocks.

“That’s going to be controversial when someone goes through with the Dutch authorities and sets up a confiscation order,” said Greene, noting that it was one option the FBI chose not to pursue this time.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts