Forgot your password?
typodupeerror
Security IT

Disconnection of Millions of DNSChanger-Infected PCs Delayed 105

Posted by samzenpus
from the not-just-yet dept.
tsu doh nimh writes "Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States."
This discussion has been archived. No new comments can be posted.

Disconnection of Millions of DNSChanger-Infected PCs Delayed

Comments Filter:
  • Meh (Score:2, Funny)

    by Anonymous Coward

    I really don't see the big deal, I mean I

    • I really don't see the big deal, I mean I

      A part of me misses the days of the #*&^a No carrier.

  • Let it happen (Score:5, Interesting)

    by jdastrup (1075795) on Wednesday February 22, 2012 @04:57PM (#39129689)
    Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?
    • Re:Let it happen (Score:4, Insightful)

      by Anonymous Coward on Wednesday February 22, 2012 @05:00PM (#39129717)

      Why would we want infected computers to exist on the Internet anyway? The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

      If they could be disconnected in stages, so centralized support outlets are not overwhelmed, that might be a more graceful letdown for the infected owners.

      • Re:Let it happen (Score:5, Insightful)

        by na1led (1030470) on Wednesday February 22, 2012 @05:07PM (#39129795)
        It's a good test to see how secure your systems really are. If your PC's are infected, then it's time to recheck your security.
        • by Anonymous Coward

          I am behind this100%

          Pull the plug and replace all the computers that stop working. All of these machines could have other security holes. Because the DNS is still working, many people may not know they were infected.

          The only other thing I may suggest is to redirect all DNS queries to a page that says:

          The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

          • The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

            Most people wouldn't believe it. They'd call Microsoft and when they find it still exists, they'd say the message was a lie - since most people think Microsoft controls their computer and the Internet.

            LOL.

      • Re:Let it happen (Score:4, Informative)

        by garyebickford (222422) <gar37bic@@@gmail...com> on Wednesday February 22, 2012 @09:49PM (#39132411)

        The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

        Yes, this is the Broken Window Fallacy [wikipedia.org].
        To quote:

        The parable, also known as the broken window fallacy or glazier's fallacy, demonstrates how opportunity costs, as well as the law of unintended consequences, affect economic activity in ways that are "unseen" or ignored.

    • Re:Let it happen (Score:5, Interesting)

      by vlm (69642) on Wednesday February 22, 2012 @05:18PM (#39129919)

      Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

      Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

      Note I'm not completely tinfoil hat here. I'm not suggesting that the govt wrote the virus or infected the computers. I'm merely suggesting this MIGHT be something like the syphilis experiments done on minorities decades ago... leave them infected, watch carefully, see what happens... Obviously a packet sniffer on the incoming DNS traffic tells you how many there are, you can generate all kinds of interesting graphs and studies and reports... You also have at least one pretty strong data point on security update habits, because they were not updated when infected. I would imagine some interesting data is being generated that would be eliminated if the "experiment" were terminated early.

    • Re:Let it happen (Score:4, Informative)

      by jbov (2202938) on Wednesday February 22, 2012 @05:28PM (#39130009)

      If the two items in bold below were not true, then they would shut down the DNS servers immediately.

      FTFA:

      Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

      Gotta keep everything running for the good ol' boys.

      • If the two items in bold below were not true, then they would shut down the DNS servers immediately.

        FTFA:

        Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

        Gotta keep everything running for the good ol' boys.

        Sounds like a good reason to hack those DNS servers and remove the hacked computers from the network ourselves, doesn't it? Two birds with one stone...

    • by tiberus (258517)
      I can sort of see some merit (from a it's gonna cost me money perspective) to let companies and the government have a brief period, like a month not months, to do some clean up. There are a lot of factors to consider; e.g. it would be devastating to a company to suddenly lose 1/2 of their systems (I think we'd call that a disaster recovery scenario). Giving them an extension seems a bit silly though.
      • by vlm (69642)

        Hooray for /. binary thinking.

        You don't "leave it on forever"/"shut it down forever". You turn it off from 0900 to 0901 today. Then 0900 to 0902 tomorrow. Then 0900 to 0903 the next day. Worst case scenario this BS is over in a mere 1440 days or about 4 years. Some people might freak out and fix it the first day, some people might not notice for a couple months, but eventually they'll all deal with it in their own way.

        • What if it's Air Traffic Control?

          Lots of planes could crash in a minute.

          • by izomiac (815208)
            If such critical systems are compromised then it's better for them to go down randomly for a short time for reasons easy to identify than to let them continue running and likely be shut down (or tampered with) maliciously at the worst possible time.
          • by Anonymous Coward

            Why the hell would mission critical ATC computers be connected to the internet in the first place? So they can play Warcraft between take-offs and landings?

            • Re: (Score:2, Funny)

              by Anonymous Coward

              "Science isn't about why, it's about why not. You ask: why is so much of our science dangerous? I say: why not marry safe science if you love it so much. In fact, why not invent a special safety door that won't hit you in the butt on the way out, because you are fired." -Cave Johnson

        • by dissy (172727)

          Meh, they might as well just shut the DNS servers down fully.

          The type of people who run their computers this way (always infected, never updated, no AV) are used to their computer to just up and stop working all the time.

          They will simply go out and purchase a new one to replace the old 'broken' one, which will end up in the trash - and at the very least off the Internet.
          Best case they give it away to their "computer guy" buddy, who will wipe it and have a free computer. It's a win-win!

          • It is good for the economy too. Lots of people running out to buy new computers. Or at least running out to their local computer shop to get things fixed.
        • Re:Let it happen (Score:4, Interesting)

          by rtb61 (674572) on Wednesday February 22, 2012 @08:20PM (#39131771) Homepage

          In this case the solution is simple. Consider the trojaned computers as out of control devices to be used to aid criminal activities. Present the information to the court, with plenty of public notice and seek a warrant to digitally enter those computers, remove the offending software, conduct a minimal repair to lock out the trojan and leave a blatant on boot up notification of what has happened and what they need to do to prevent it happening again. Ensure the notification is easily removable.

          Just like anything else left out of control, the police and entitled to enter and seek to deactivate the out of control entity. The same in this case. Don't shut down the computers fix them and notify the owners of the fix and provide a warning, "Next time it will be assumed that you are a knowing part of the bot-net and you and your infrastructure will be raided and you will be required to provide proof that you did not willingly participate in this activity or face a fine".

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

      • As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

        I agree with this statement. I have been involved in this effort as well. There are two user demographics here: Business; and Consumer. In the consumer space, ISPs have been contacting their infected customers for two months now. I'm told customer remediation rates following notification are hovering around 15% across the Tier 1 and Tier 2 ISPs. So customers are notified, directed to a web portal containing additional information and links to the removal tool, and still only 15% are completing the task. If

    • Please, yes. These infected moroons are tomorrow's clients and damn I need the cash!

  • Very odd details (Score:3, Interesting)

    by bigbangnet (1108411) on Wednesday February 22, 2012 @05:02PM (#39129737)
    this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

    btw, you can read this guide to check your dns.

    http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

    • I notice there's no directions for those running Linux...
      • by X0563511 (793323)

        Kind of hard for a Linux machine to get infected with a Windows trojan. Even if it managed (through Wine) the trojan changes network settings - something totally incompatible between them (so the Wine API would fail, there).

        I'm sure there ARE infections that could do the job, but they are not this one.

        • Well, it mentioned OS X instructions so I didn't know what to think. Upon looking at it a second time around, I see the instructions offhandedly mentions affecting SOHO Routers, so maybe that's why the Apple instructions are there, but if that's the case, I think my previous observation still stands.
    • by Zocalo (252965)
      They've been trying to get the word out. OK, that word has looked very much like a phish, but it has gone out. The issue has also been discussed in many of the kind of places where people in a position to do something about the problem hang out such as Ars, NANOG, Slashdot, and so on. At this point, if a PC has not been reconfigured then I'd say that the chances are that it won't be until it gets replaced or rebuilt, so there are three options:
      1. Pull the plug, cutting off those who are infected. My pre
      • by vlm (69642)

        Option 4 which I guess outs me as a NANOG reader type of guy, is for an ISP or large corporation to BGP advertise the DNS servers specific netblocks as themselves (obviously route filter not to send to their upstreams or they'll get really pissed off) and run their own servers and then implement whatever they want whenever they want.

        I don't do the windoze thing either at home or work, so I've been sorta ignoring this, but I think I read it was only 4 little /24s that need to get this treatment.

        If you don't

    • by AK Marc (707885)
      And a technically incompetent "solution" that causes all people with any knowledge to question the motives. If they wanted to "get the word out" they could replace the DNS server with one of their own that only served an IP that was for a warning page for all queries. Everything the person tried to go to would be an 800 number for technical support and a description of the problem and reason they are getting that page. And yes, I get the irony of a government page interrupting browsing with a "you are in
    • by eulernet (1132389) on Wednesday February 22, 2012 @06:28PM (#39130657)

      Wow, it seems that I'm infected: I get a weird page for http://megaupload.com/ [megaupload.com] !

  • Does the problem apply to Mac OS or Linux? Please be specific.
  • Another example of how the US government is trying to shield people from the consequences of their actions.

    • by c0lo (1497653)

      Another example of how the US government is trying to shield people from the consequences of their actions.

      Not only that, but... ;) I wonder just where the world is heading? How can a honest cybercriminal earn nowadays her/his living without fear of being extradited in US? ;)

    • by sorak (246725)

      Another example of how the US government is trying to shield people from the consequences of their actions.

      Is it that, or is it the government trying to shield people from the consequences of other people's actions?

  • Maybe they're trying to eliminate terrified support calls "help help help some virus called DHCP is changing my dns servers just like the one I read about on the news help help help"

  • by rwhamann (598229) on Wednesday February 22, 2012 @05:41PM (#39130155)
    Why not use the dummy DNS servers to redirect users still attached to them to an informational website that tells them how to unfuck themselves? Make it a clearly labelled site with a very simple, obviously .gov URL so people trust it? If my ISP can pop up a frame telling me I'm approaching the bandwidth cap, why can't the FBI?
    • by vlm (69642)

      90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.
      9% of the idiotic masses are going to call a fox news call in program and explain how its an indonesian commie plot to eliminate christianity from america, or some NPR radio show and ramble on about weed legalization would have prevented this in the first place and its all Bushes fault anyway.
      1% of the idiotic masses are going to call 911 and they are gonna be pissed off

      • by CanHasDIY (1672858) on Wednesday February 22, 2012 @06:06PM (#39130411) Homepage Journal
        Don't forget the .000001% who will flame the rest of society in online forums for not being as omniscient and infallible as they believe themselves to be.
      • by NoKaOi (1415755)

        90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.

        Vs. 99% who would call their ISP if they were suddenly unable to reach Google and Facebook? Seems like a redirect with instructions on what to do about it would generate fewer calls than disconnecting, and any ISP with even the tiniest bit of competence should update their Indian scripts so the Indians can tell the customers what to do.

        Also, as far as your 90% goes, shouldn't you be happy if people are cautious and aware enough to be concerned that what they are reading might be a scam and not blindly c

      • by Lifyre (960576)

        It's not just some NPR radio show... I believe they call it "Talk of the Nation"...

    • by eyenot (102141)

      Wow, wtf, for real, why doesn't the U.S. *GOVERNMENT*, of all fucking people, places, or things, have a ready supply of information about how to fucking use your computer the real way?

      I like your frame of mind. Until there's a page JUST like what you're describing, my opinion of U.S. government employees and officials as just being undereducated slackers who get elected largely because they felt like running for office and knew how to lie and/or look really pretty... now I'm going to see them (and mention t

  • To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US. This news made my day. I know this is slashdot, but malware is not going to be fought through any technical solution. Until this kind of activity carries personal risk, the bad guys are going to win.

    Nice to actually feel good about my government, at least for a few minutes.
    • by NoKaOi (1415755) on Wednesday February 22, 2012 @06:09PM (#39130441)

      To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US.

      While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited simply because they disagree with the laws that were allegedly violating. It was the same excuse that it related to machines in the US. What makes the US so friggin' special for them to be extradited? Is what they did not illegal in Estonia? If not, then should they be prosecuted for actions they took while in a country where it wasn't illegal? If so, then why aren't they being prosecuted in Estonia, where they actually were when they did illegal stuff? If we're in one country doing business with another country over the Internet, or doing something on servers in another country, which country's laws should apply? Which country should get to prosecute?

      Meanwhile...I still get a dozen 419 scam emails for every craigslist ad I post. While everyone reading this probably thinks that only an idiot would fall for them, there are clearly people who do. Just because somebody isn't computer literate doesn't make them an idiot, there are real people losing real money, and yet the scammers aren't prosecuted because they're "over there" even though they're scraping craigslist's US based servers, sending email to servers and people in the US, receiving money fraudulently through Western Union, a US based company, from the US.

      What kind of precedent do we want? Can we at least be consistent?

      • Re: (Score:3, Insightful)

        by couchslug (175151)

        "Why should they be extradited to the US?"

        Because they damaged US computer systems on US soil.

        • by CRC'99 (96526)

          Because they damaged US computer systems on US soil.

          Awesome. Does that mean other countries can extradite US politicians and business men for screwing over companies and in some cases entire countries?

          Oh right, what was I thinking... :\

        • by kiwix (1810960)

          So after they do their time in the US they're going to be judged in each country where a machine was infected? That's fucking scary!

          And if I have a website explaining people how to use TOR, and it turns out that explaining this is illegal in China or in North Korea, will I be extradited to those countries?

      • The individuals in question allegedly damaged networks located on United States soil, and we happen to have an extradition treaty in place with Estonia. Wikipedia lists the following references to US/EST treaties:

        • 43 Stat. 1849; TS 703; 7 Bevans 602; 43 LNTS 277
        • 49 Stat. 3190; TS 888; 7 Bevans 645; 159 LNTS 149

        Some nations do not have extradition treaties with certain other nations, but this generally makes it rather more difficult for them to get their hands on accused criminals operating from and/or fleei

      • by cdrguru (88047)

        Is what they did not illegal in Estonia?

        No, it probably is not illegal. Let's see, what country has the most Windows machines? Probably the US is #1 there. So anything that negatively affects Windows machines will have a predominately bad effect on US computer users.

        I wouldn't be surprised if there is a specific (unwritten) law in Estonia that says "If you screw with Americans, hat's off to ya." There certainly is such a law in Romainia and Bulgaria.

        It may also be the case that in Estonia anything that is done "online" gets a free pass becaus

  • Shut the surrogate control servers down. The main reason people don't take security seriously is there's never any real costs associated with not taking it seriously. Most of the users of the infected machines probably are thinking "Why should I worry about this? My machine's working just fine.". Well, when the control servers shut down and the infected machines can't access the network at all, the users won't be able to keep ignoring the problem. And maybe, just maybe, having to pay the price for complacen

  • by Anonymous Coward

    What the fuck, another extradition to the US. I wonder if the US would extradite its citizens to Estonia if the Estonian government asked for it.

  • FTA linked

    "The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down"

    The quickest way to indemnify them is to have them removed from the internet.

    computer user: "hey why is this computer not connecting to the internet"
    another computer user: "dont know, guess we better get someone that knows something"
    someone that knows something: "so this is why...and t

    • by billcopc (196330)

      It seems you've missed the part where they mention infected Fortune 500 and government machines. If all the infectees were average joes like you and I, they would eagerly pull the plug. But big business and their sock-puppet the "government" are special, they must be protected from the shame of having their noses rubbed in their own steaming shit. They can never be called on their mistakes, because you don't want to piss off all those twitchy lobbyists and their dirty money.

    • by jonwil (467024)

      I suspect the reason for the delay request is that some of the computers that remain infected are computers that are important, i.e. if those computers stopped working or stopped being able to connect to the internet, companies would loose money or worse.

  • "Not some mystery benefactor, singular. That would raise too many questions. However... stay with me here... Zombies. I got a guy who knows this guy who knows this Rain Man-type. He lives with his mother in her basement in Belarus. So good luck extraditing his fat Russian ass. Wait. He's a hacker-cracker extraordinaire. This guy can hijack random desktops all around the world, turn 'em into zombies that do his bidding. For instance, he can make it so, 20 or 30,000 little donations come in from all over the

  • The only users who should be affected are home home users, and its not going harm the economy any if John and Sally can't get to Facebook until they pay their local Nerd Herd agent $60 to fix their PC. Hell it might help the economy because its going to spur some activity, and result in those machines getting cleaned and patched which will in turn prevent future frauds and botnets.

    As to the F500's, and even the smaller down to a hindered or so head count shops. This should be a non issue. First they prob

  • From what I've read this doesn't sound any more stealthy or tenacious than any other modern trojans. If you're running up-to-date AV like you should, then you should already know you have an infected computer (and be doing something about it). I don't see why anything out of the ordinary needs to be done. Just shut down the rogue servers. If people didn't know they had a problem before, they will then. How would this be any different from a virus that simply disables your internet connection? I see complain
    • by Skapare (16644)

      Serving valid DNS data to allow access to sites like virus checkers/removers, and the OS providers (I have a very good idea which one that is), makes it easier for home and small business users to get their computers cleaned up. However, they SHOULD make OTHER sites just go to a page that tells them their computer is infected with a virus that interferes with the computer's ability to locate web sites on the internet. It will be a LONG time getting them all cleaned up otherwise.

  • ... is track down the owners of these computers and charge them ALL with the misdemeanor aiding and abetting cybercrimes. Let's put the blame where it belongs ... on dumb people who allow their computers to be infected. In this case, since there was no damage by these owners to others, it can be a misdemeanor. But if it did involve damage to others, then it should be a felony charge.

  • They cannot stop the servers, because then half of government machines will stop working too...
  • The really scary news is the fact these guys are getting extradited.

    It's not that they don't deserve great eternal suffering, it's just that this is getting out of control.

    Genuine question - when was the last time US has extradited its own citizen?

    Would US extradite a person who killed 24 civilians? If not, why (besides blackmails/threats from US govt) are people supposed to extradite people to the US? Will we have US requesting extradition for someone talking bad about their president (sorry - CEO), in 5 y

Never test for an error condition you don't know how to handle. -- Steinbach

Working...