Disconnection of Millions of DNSChanger-Infected PCs Delayed

tsu doh nimh writes "Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States."

Let it happen

[jdastrup]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Very odd details

[bigbangnet]

this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

btw, you can read this guide to check your dns.

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Re:Let it happen

[vlm]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

Note I'm not completely tinfoil hat here. I'm not suggesting that the govt wrote the virus or infected the computers. I'm merely suggesting this MIGHT be something like the syphilis experiments done on minorities decades ago... leave them infected, watch carefully, see what happens... Obviously a packet sniffer on the incoming DNS traffic tells you how many there are, you can generate all kinds of interesting graphs and studies and reports... You also have at least one pretty strong data point on security update habits, because they were not updated when infected. I would imagine some interesting data is being generated that would be eliminated if the "experiment" were terminated early.

Why not use the dummy DNS servers?

[rwhamann]

Why not use the dummy DNS servers to redirect users still attached to them to an informational website that tells them how to unfuck themselves? Make it a clearly labelled site with a very simple, obviously .gov URL so people trust it? If my ISP can pop up a frame telling me I'm approaching the bandwidth cap, why can't the FBI?

Re:Let it happen

[Anonymous Coward]

As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

Re:Let it happen

[rtb61]

In this case the solution is simple. Consider the trojaned computers as out of control devices to be used to aid criminal activities. Present the information to the court, with plenty of public notice and seek a warrant to digitally enter those computers, remove the offending software, conduct a minimal repair to lock out the trojan and leave a blatant on boot up notification of what has happened and what they need to do to prevent it happening again. Ensure the notification is easily removable.

Just like anything else left out of control, the police and entitled to enter and seek to deactivate the out of control entity. The same in this case. Don't shut down the computers fix them and notify the owners of the fix and provide a warning, "Next time it will be assumed that you are a knowing part of the bot-net and you and your infrastructure will be raided and you will be required to provide proof that you did not willingly participate in this activity or face a fine".