Independent Georgia Tech Study Reveals Best Ways to Tell Customers "You're Botted"

Wed Feb 20, 2013 11:30am EST

* Reuters is not responsible for the content in this press release.

  SAN FRANCISCO, CA, Feb 20 (Marketwire) -- 
A bot believed to have netted $14 million in illicit profits has been
turned into a golden learning opportunity, yielding important insights
into how the online community can best alert and assist customers with
infected systems. Georgia Tech researchers on Tuesday announced the
results of a study based on the industry's response to the DNS Changer
Trojan and shared recommendations to help curb future malware outbreaks
at a presentation during the M3AAWG 27th General Meeting in San Francisco.

    The DNS Changer Remediation Study identified phone calls, billing notices
and redirecting users to customized Web pages among the most effective
methods to notify customers that their systems were infected. Researchers
Wei Meng and Ruian Duan, working under the supervision of Georgia Tech
School of Computer Science Professor Wenke Lee, also found that "active"
social media warnings were useful for enabling remediation. With this
approach, sites such as Google directly informed users they were infected
through their browser windows, a tactic that proved to be more effective
in motivating users to disinfect their systems than passive warnings
issued in general posts or news articles on social media platforms.

    "Social media can have an important role to play in alerting users to
infections in their systems and in stemming malware outbreaks. We believe
in the importance of implementing active, direct notifications earlier in
the process," Lee said.

    The researchers looked at both various types of end-user alerts and
network operators' efforts to help customers disinfect their systems,
including using walled gardens, DNS redirection, anti-virus software and
malware removal tools. Part of the challenge facing the industry from
bots is determining how to notify users their systems have been
compromised in a timely and credible manner, then assisting non-technical
customers in remediating those machines, according to M3AAWG Co-Chairman
Michael O'Reirdan.

    O'Reirdan said, "The industry's response to the DNS Changer malware
clearly showed how well competitors and vendors can work together when
users' safety is on the line. It also was an extraordinary opportunity to
objectively study the different approaches companies have developed to
assist customers and to understand the important role each of us plays in
safeguarding the online experience. The active involvement of
anti-malware and security tool vendors, social media platforms, law
enforcement, operating system vendors and home networking technology
vendors has been shown to be crucial. In the end, it takes the entire
Internet ecosystem working together to protect end-users." 

    The data used in the study to determine infection and cleanup rates was
provided anonymously from major ISPs around the world through the DNS
Changer Working Group (DCWG) to the research team at the Georgia Tech
Information Security Center (GTISC). To identify the different types of
notification and mediation techniques used, the researchers sent
questionnaires asking network operators how they had alerted customers
who were infected with the DNS Changer malware and the specifics around
the remediation efforts employed by each ISP to assist customers in
cleaning their machines. An ISP that did not take any action in response
to the malware became the baseline for measuring the effectiveness of the
other approaches, according to Lee.

    From 2007 to 2011, the DNS Changer Trojan hijacked Internet searches and
re-routed the Web browsers of infected computers to fraudulent sites
using the rogue DNS servers operated by the Rove Digital advertising
network. However, if the rogue DNS servers had been turned off when the
allegedly responsible Estonians were arrested, infected end-users would
not have been able to reach the Web. The DCWG was a group formed to
assist law enforcement in dealing with the potential end-user issues
arising from the law enforcement action. The DCWG also helped operate and
monitor the "clean" DNS servers that were operated legally by the
Internet Systems Consortium (ISC) under a U.S. court order from November
2011 to July 2012. As a result, instead of suddenly losing access to the
Internet, millions of users were notified they were infected and needed
to clean up their machines. 

    The complete DNS Changer Remediation Study is available on the M3AAWG
website at

    About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

    The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is
where the industry comes together to work against bots, malware, spam,
viruses, denial-of-service attacks and other online exploitation. M3AAWG
( represents more than one billion mailboxes from some of
the largest network operators worldwide. It leverages the depth and
experience of its global membership to tackle abuse on existing networks
and new emerging services through technology, collaboration and public
policy. It also works to educate global policy makers on the technical
and operational issues related to online abuse and messaging.
Headquartered in San Francisco, Calif., M3AAWG is driven by market needs
and supported by major network operators and messaging providers.

    M3AAWG Board of Directors: AT&T (NYSE: T); Cloudmark, Inc.; Comcast
(NASDAQ: CMCSA); Constant Contact (NASDAQ: CTCT); Cox Communications;
Damballa, Inc.; Eloqua; Facebook; France Telecom (NYSE and Euronext:
FTE); Google; PayPal; Return Path; Symantec; Time Warner Cable; Verizon
Communications; and Yahoo! Inc.

    M3AAWG Full Members: 1&1 Internet AG; Adaptive Mobile Security LTD; Adobe
Systems Inc.; AOL; BAE Systems Detica; Cisco Systems, Inc.; Dynamic
Network Services Inc.; Email Sender and Provider Coalition; Genius;
iContact; Internet Initiative Japan (IIJ NASDAQ: IIJI); Mailchimp; McAfee
Inc.; Message Systems; Mimecast; Nominum, Inc.; Proofpoint; Scality;
Spamhaus; Sprint; and Twitter.

    A complete member list is available at 


Media Contact: 
Linda Marcus, APR
1+949-887-8887 (mobile-U.S. Pacific)
Astra Communications 

Copyright 2013, Marketwire, All rights reserved.