Taking Down DNSChanger: A First Person Account 46
penciling_in writes "Paul Vixie shares his personal account of the DNSChanger takedown operation, working with the FBI and a worldwide team. He also explains the delay issues in identifying and notifying victims, which resulted in the FBI asking the judge for an extension. They were given four more months. 'On July 9 2012 the replacement DNS servers operated by ISC will be shut down and any victims who still depend on these servers will face new risks,' he warns. A half-dozen national Internet security teams around the world have created special websites that will display a warning message to potential victims of the DNS Changer infection. The full list of these 'DNS Checking' websites is published by the DNS Changer Working Group."
dcwg.org (Score:3)
Probably the most interesting side of "just another windows virus" story for non-windows users, is that 4-letter-acronym domains are available.
I heard all the TLAs have been domain squatted since the mid 90s... I was honestly surprised its possible to obtain a FLA domain (four letter acronym), or at least it was possible for these guys for this one domain...
Re:dcwg.org (Score:5, Funny)
Damn straight. That's some nice digs Kim has out there in New Zealand... Be a shame if he were sent down for a few years and a bunch of squatters moved in.
Re: (Score:2)
Who cares about dot orgs?
I have it on good authority from an SEO that links from dot orgs are weighted much more heavily by Google's ranking algorithm. In fact, I get free domain registration, hosting and admin for a few .org.au domains in exchange for a couple of (slightly relevant) links.
Re:dcwg.org (Score:4, Informative)
I bought one a year or so ago on ebay; cost me $25. Not really "available" in that the sense that you could register it through any registrar, but available in that I could easily get it. There are lots of them on ebay all the time, they seem to start at $25 for a .com.
Re: (Score:3)
All of the 4 letter .com domains have been registered. They expire and drop sometimes, and people grab them from places like SnapNames and NameJet. There's also an aftermarket where you can find the less desirable combinations for about $25-$100.
There are plenty of 4 letter .net and .org domains that aren't registered yet, and they can be had for the price of registration at your favorite registrar.
Why doesn't Google check for this? (Score:3)
It seems like Google would be in a position to quickly nip problems like this in the bud. If they implemented whatever the checks these systems are doing on their search result page, 99% of those infected would know about it.
Re: (Score:3)
How many of the infected Windows users are using Bing because it is the IE default?
Re: (Score:3)
It seems like Google would be in a position to quickly nip problems like this in the bud.
I'm sure they are in a position to perform this type of check, but is it their place to do so?
If they did it on their own we'd be up in arms about Google inspecting everything too deeply. If they don't do it we want to know why. It's a no win situation, but it's better for them to be persuaded to perform the task rather than jumping in with both feet and enduring the choir of complainants.
Re: (Score:2)
There's nothing for Google to test. By the time they get your traffic, the DNS query is done.
Why do you imagine they couldn't arrange the same result? Create a real DNS record for something like dns-ok.google.com pointed to a Google server with a no-op piece of javascript called test.js on it, then include "dns-ok.google.com/test.js" on google.com. Then they could call up the people who currently control the DNS changer server and tell them to add a record for dns-ok.google.com and point it to a different Google server where that piece of javascript causes the user to see a message that their compu
Re: (Score:2)
I don't care about the unibrow, but I have to admit I thought Paul Vixie would look more dashing.
I'm not sure why, but I pictured him as a cross between Indiana Jones, Flash Gordon and Dilbert.
Re: (Score:2)
I don't care about the unibrow, but I have to admit I thought Paul Vixie would look more dashing.
I'm not sure why, but I pictured him as a cross between Indiana Jones, Flash Gordon and Dilbert.
I pictured him as dark, handsome, but boyish. With rather long, black, curly hair. Funny how we make our own portraits of programmers, as if they were characters in a novel.
Re: (Score:2)
The original author [wikipedia.org] of cron and bind is a "tech writer"? The man who claims to hold the record for the most CERT advisories due to a single author? When it comes to the Internet, the man has at least demi-god status, and when it comes to DNS, I think you have to call him a full-fledged god.
Re: (Score:2)
The original author [wikipedia.org] of cron and bind is a "tech writer"?
You're right at large, but he wasn't the original author of cron. He made the first(?) free clone.
Re: (Score:2)
This is an insult to all inter-ocularly hirsute techs everywhere. We who sport the unibrow (or monobrow as it is known in Australia) - all look up to Mr Vixie, and I myself am proud to have been compared to Mr Twit of Roald Dahl's inspiring book, "The Twits" fame.
Such comments are just jealousy, I suppose.
Stupid (Score:5, Interesting)
They never should have setup replacement DNS servers.
At most they should have put up a special server that just pointed every A record request to webserver with page explaining that you have or have had some malware on your system and are vulnerable, some instructionss to fix your DNS and patch your box or call your Administrator for help. Simply return NXDOMAIN for everything else.
All this has accomplished is keeping a bunch of un-patched machines which lets face it most likely have or will have other malware on them as well in use by users making the possible victims of someone else.
I have not bought into the argument about ISPs or corporate uses being effected severely either. Anyone effected by this thing is not using DNSEC. It would be trivial to NAT tcp53/udp53 requests to the addresses of the malicious DNS servers to safe in house one. ISPs and corporations then could go through those logs with their own resources and contact those users / customers for a fix, instead of being allowed to just shift the cost of their security failure onto the tax payer as they have. Such organizations should be going after the estate of the perps for damages and eating the costs that cannot be recovered or forcing their insurers to do it.
This was just another abuse of the public.
Re: (Score:2)
It would be trivial to NAT tcp53/udp53 requests to the addresses of the malicious DNS servers to safe in house one.
That doesn't scale very well on a "real network" although that works pretty well if you have one provider and one firewall (basically what you probably have at home but probably bigger). The "right" way to do it is have your BGP speaking routers advertise those specific routes, and one linux box with a bunch of virtual interfaces running bind, etc. Obviously you do not BGP advertise those routes to the general public unless you want the guys on the NANOG mailing list to laugh at you and your upstreams/pee
Re: (Score:2)
I can see doing it via routes for ISPs who have many peers. I have never done a BGP implementation for anyone with more than three Internet gateways. Frankly I'd rather put few NAT rules on two or three gateways to make sure I have all the egress traffic covered than try to advertize a few /32s in BGP and either foul up or be fouled up by route summery.
Re: (Score:3)
If you're doing BGP, you already have experience advertising your blocks... so just advertise someone elses blocks remember to forget to permit those blocks thru your border prefix lists... Rather than feeding a whole pop with that block you'll probably be feeding a vlan with one linux box with 256 virtual interfaces or whatever, and lots of logging to report anyone actually trying to use it for DNS. Your own level of BOFH decides if you put bind on it with a normal resolver, or redirect *.com to an inter
Re: (Score:1)
The goal is to inform users that their machine is compromised in
I still disagree with the delays (Score:5, Interesting)
There should have been a period of time to do the notifications with the DNS running "normally". At the end of that (no extension), change the DNS servers so they return an IP for ALL domains that directs everything to a single page that tells them that their computers and/or network is infected, and they need to contact a security consultant, their ISP, or a specified contact at the FBI. After that time, the DNS should go dead (route those IPs into a blackhole). That all should have been overwith by now. There's no justification to delay further for stupid people.
Re: (Score:1)
Ditto.
Who know what other malware/virus infections the computer may have. The prolonged extension does a dis-service to the infected machines. This is crazy.
I've said it before (Score:2)
Re: (Score:1)
They're doing it wrong. (Score:2)
Sure, they don't want to kill the internet connections of thousands (or millions) of people in one night, this will cause the odd serious problem.
But leaving some servers running perfectly isn't going to solve anything either. If everything is working fine these people are just going to leave it be; as they were told by the last guy who charged them to fix their machine last time!
The answer is actually very simple; leave the server running but make sure it's CRAP.
On day zero it works perfectly.
On da
Re: (Score:1)