HomeService ProvidersAnalyzing Traffic for Malware › Security Analytics Case Study

Kindsight Security Analytics Case Study

The recent takedown of the DNSChanger botnet has left many Internet service providers in a bit of a conundrum since Internet access for the infected computers will be disrupted when the rogue DNS servers are decommissioned. Millions of angry users will be calling the help desk to ask what went wrong with their Internet connection.

While service providers are struggling to identify and notify infected users before the plug is pulled, the Kindsight Security Analytics platform provides exactly what they need to detect which users are infected, notify users of the problem and help them get their computers back on line.

Background

On Nov 9th 2011, the FBI, Estonian authorities and Trend Micro announced the takedown of the DNSChanger botnet. The botnet consisted of over four million infected computers, worldwide with half a million in North America alone, and generated over $14 million in fraudulent Internet advertising revenue over the past 5 years.

Over the five years that DNSChanger has been in operation, a variety of malware has been used to get control of the victims’ computers and modify their domain name system (DNS) lookup configuration. Regardless of the source of the initial infection, the net result is that the default domain name servers in the computers configuration are changed to point to DNS servers owned and operated by the cybercriminals.

Problem

FBI description of DNSChanger imageThe problem is not remediated by simply removing the malware. The infected computers must be reconfigured to use the DNS services provided by their service providers. The FBI has released instructions on how to determine if a computer is infected, which can be found here, but it offers little advice on what to do about it so the service providers are faced with the problem of determining which users are infected, notifying them and providing assistance in fixing the problem.

Solution

Kindsight Security Analytics allows the service provider to pinpoint the subscribers that are infected and help them to fix these types of problems. By proactively solving these issues, service providers can reduce any churn related to DNSChanger type issues now and in the future.

With Kindsight Security Analytics, the service provider would be able to detect infections related to DNSChanger from home computers and map these infections to the subscribers account (not just an IP address). The service provider could then notify the infected users by e-mail or other means and take them to a self-service web portal to assist the user in resolving the issue.

While the Kindsight Security Analytics platform is certainly of value in allowing service providers to handle one-off cases like DNSChanger, it is of even more valuable when applied to the ongoing problem of malware infection in general.

Read the Case Study about Reducing Churn with Kindsight Security Analytics.