Forgot your password?
typodupeerror
Government Networking Security IT

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs? 140

Posted by Soulskill
from the time-has-been-given dept.
nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
This discussion has been archived. No new comments can be posted.

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?

Comments Filter:
  • by Anonymous Coward

    those machines are primarily used to connect to Facebook... so allow me to say:
    and nothing of value was lost

  • About time... (Score:5, Insightful)

    by Guspaz (556486) on Wednesday July 04, 2012 @04:24PM (#40544241) Homepage

    They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?

    • by Anonymous Coward

      No, they should have not resolved any addresses except for those that started with "www." Those address should have pointed to a warning page when accessed by html. That way people would have been warned earlier. That is basically how they allow the detection, i.e. infected machines access one address and uninfected detect others. There isn't really a reason that they can't do it for all html pages. I mean, just cutting them off would break programs that access html anyway.

    • I agree completely. Shut them down. Most people will not even notice that there is a problem until their computer stops working.
      The users will call their ISP, and they will figure out very quickly what the problem and pass them off to someone to fix it.
      Perhaps one or two people might figure out that computers requite maintenance, just like a car does, and that maybe paying for such maintenance is a good idea.

      But I doubt it.
    • by Hentes (2461350)

      They could notify them before shutting it down, for example.

      • Re:About time... (Score:5, Interesting)

        by aix tom (902140) on Wednesday July 04, 2012 @06:14PM (#40545131)

        Of course the problem is THAT would open up a whole other can of worms.

        Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.

        Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.

        • by Hentes (2461350) on Wednesday July 04, 2012 @06:27PM (#40545205)

          They can sign the message with the FBI key so users can ensure its validity.

          • Re:About time... (Score:4, Insightful)

            by dark12222000 (1076451) on Wednesday July 04, 2012 @06:35PM (#40545271)
            Of course, because the sorts of people who run infected machines constantly are well aware of things like signing keys.
            • by Hentes (2461350)

              The machines infected can just as well be on a neglected company network. But even if they don't believe the popup the first time, if it pops up before every page they visit most people will realize that the chances of a malicious popup writer owning the whole internet are small.

              • With javascript injection and a local web server, forcing a popup to appear on every page of "the whole internet" is trivial. There are, in fact, SEVERAL pieces of malware which already use this tactic.
                • by Hentes (2461350)

                  But that also leads to the conclusion that the system is infected.

                  • Yet several of those machines continue running, and have been for months.

                    You severely overestimate the average consumer.
                • by DavidTC (10147)

                  Which is why the FBI page should carefully explain to never follow links on pages like this, and instead to contact their ISP for information how to fix their DNS.

                  Which I suspect is what it did.

            • Thank you for the RL chuckle...I needed that about now :)
        • by PopeRatzo (965947)

          Of course the problem is THAT would open up a whole other can of worms.

          Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.

          There are probably a h

          • There are probably a handful of sites - Google, MSN, Facebook, etc - that practically all of those people will access. Why not ask those companies to post some information about how to check if you're infected and/or how to fix the infection? It seems like this thing could be fixed pretty easily if you had the biggest sites on the Internet on board.

            People don't trust an email from "teh FBI" but they sure as hell trust what comes up on the Google or Facebook home page.

            Or is it unthinkable to ask the biggest players on the Internet to be good net citizens and help out a little bit for the good of everybody?

            You mean they should do something like what Google and Facebook [theregister.co.uk] are doing?

            • by PopeRatzo (965947)

              You mean they should do something like what Google and Facebook are doing?

              Gee, that was fast. I'm glad they liked my suggestion.

      • by sjames (1099)

        Done, and then the date was pushed back and everyone warned again. The 300K remaining are apparently invulnerable to the armor piercing clue.

        I agree that maintaining the redirected DNS for a time and issuing a warning was appropriate, it's just that time is months beyond up now.

    • The FBI could be liable. Especially if corporate or government computers became infected and no anti virus package had the definitions for it at the time assuming it started as a 0 day exploit,

    • by morari (1080535)

      They should have, but then the FBI would not have had unobstructed access to all information flowing through their new DNS servers...

    • They never will learn. Well maybe some of them will but most of them just want their computer to run and nothing more. IMHO you can't change the older ones that are in the system because they don't want to learn anything. It's very much like the Matrix (IMHO) but it's true.

    • Well, isn't there a way to trick/force all these computers who are affected to go to a website stating: "Yo, you've be hacked and infected. We have taken down the websites, but you are still infected. Do this to get fixed."

    • They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?

      By them instead routing 100% of their internet pages to a site telling them they have a virus and how to undo the rogue settings. Then again a malicious browser hijacker telling you to do something shouldn't be trusted but obviously these people are pretty stupid to begin with so it would sort of work.

  • by Todd Knarr (15451) on Wednesday July 04, 2012 @04:28PM (#40544295) Homepage

    It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.

    • It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem.

      6 months warning? Where? I guarantee, if I were to go into work on Monday and say "hey, have you heard about that whole DNSChanger thing?"...2, maybe 3, out of 75 would say yes. And those because they read it here.
      • by Todd Knarr (15451) on Wednesday July 04, 2012 @04:58PM (#40544563) Homepage

        http://www.dcwg.org/ [dcwg.org]
        It's been in every antivirus program update since January. It's been covered on every PC-related Web site out there. Facebook has been warning anyone who visits while infected about the problem since early June. It's been the Malicious Software Removal Tool Microsoft sends monthly through Windows Update for months now. The only people who don't know about the problem are the ones who've been willfully refusing to look at anything related to the security of their computers. Well, you can't safely do that. That's been, or should have been, common knowledge for the last 20 years.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Ah, but grandma-joesixpack has been on the internet with Windows for years. She's been burned. She now ignores ALL sorts of warnings because she figures they're more of those damn malware clicks and emails that she sees all the time and must never click.

          Are they warning people on the paper bill from the ISP? That's the only thing that's going to do it. On the same page with the payment information -- because there's always advertising shit included that she knows to toss straight to the bin. Worded like "WE

          • by Todd Knarr (15451)

            If grandma-joesixpack is that computer-illiterate, she shouldn't have to be watching out. She should be letting someone more computer-literate set her computer up, including antivirus and automatic updates and all, and when the AV program and Microsoft's MSRT started alerting she should've called said computer-literate helper to fix things.

            And why would we assume she's computer-illiterate? My mother knows enough to call for the tech when things get weird, and she's 70 and just got her first computer. My gen

          • by sjames (1099)

            If she has that little idea about it, she's not going to take action until "the internet is broken". Kill the redirected DNS so she will truly understand that something's wrong and will contact someone who can fix it for her.

        • This trojan uses pnp exploit to reset the routers firmware to use the hacked DNS settings.

          No amount of AV software nor a new computer hooked into the network can escape this. Logging into the router is out of depth of average users knowledge and expertise and my guess is this and inept corporate IT departments who use unpatched Windows (almost all of them) are the majority of those that are left. So I do not blame these users.

          They will have to call their ISP on instructions on how to reset their DNS setting

    • Fuck that, yes they should turn off the DNS servers, and there is only one valid reason why they should - the FBI has no duty of care to *any* of these people to keep their Internet running. Turn the servers off, let the Internet break for these people, let them learn the lesson they should be learning.

  • Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected and how to clean it.

    They have to click again in order to get through. Set the TTL of the DNS caching to nil so it happens practically every link - simply bombard them through annoyance?

    Oh, and sure it'll break stuff like e-mail and all sorts of other non-HTTP protocols, which is good because they'll hopefully call tech support or something.

    • So how do you make a "You're infected with X" page people actually trust?
      • It would probably be better to redirect them to Rick Roll (No I will not put the URL here).
      • At least it will open their eyes. Now everything (as far as I know) just works. Of course you can redirect them to a page that they should trust, on a https server with a domain that can be trusted, etc.
        • by sjames (1099)

          It will train them to believe that "checking your computer for viruses" scam ad the next time they see it.

          • There is no need to "train" them for that. Most got infected that way or via other "streetwise" mistakes.
      • So how do you make a "You're infected with X" page people actually trust?

        Don't offer to sell them anything and point this out.

        Tell them to contact their local computer support folks but don't make specific recommendations.

        Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.

        • Don't offer to sell them anything and point this out.

          Tell them to contact their local computer support folks but don't make specific recommendations.

          Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.

          When something like this happens most peoples machines who had been compromised were compromised as a result of a user taking an action most of us would sigh and laugh at.

          They did not have the awareness to keep from being suckered or con'd or whatever so what makes you think they will have the awareness to parse the difference between the FBI doing it and a real attacker?

          It simply does not work to try and push the official message thing it only makes things worse because now the phishers are able to leverag

          • The 1-800 number is still a reference an attacker may control. They may even decide to sucker a few people into calling the "FBI switchboard" in order to rack up service charges on their phone bill.

            How do they take control of the phone books?

            Personally I think a central method of verifying government actors and actions as legitimate in the sense it was not something made up by an imposter would have a lot of value outside this specific issue.

            But if you're rootkitted then you can't trust the computer anyway.

      • by Z00L00K (682162)

        Those infected are more likely to trust whatever passes their eyes so it will probably work.

      • by BronsCon (927697)
        You don't have to make a page people trust when you're dealing with people who trust any page.
    • by John Bokma (834313) on Wednesday July 04, 2012 @04:57PM (#40544555) Homepage
      DNS servers don't return pages. What you probably mean is to return the same IP address for each and every DNS request, an IP address that hosts a web server that tells people that their computer has been infected. Might be possible to do the same for other protocols, e.g. POP3 will return daily a new email that their computer has been infected, etc.
      • by Inda (580031)
        I saw one of those "your computer has been infected" emails this morning...
    • by vlm (69642) on Wednesday July 04, 2012 @05:20PM (#40544739)

      Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected

      The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.

      It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.

      Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.

      The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.

    • by Nimey (114278)

      Redirect all their queries to a page with Goatse and an admonishment to clean their computers.

    • by fluffy99 (870997)

      Something like this would be possible. Don't redirect everything, just a few key sites like facebook and google. Google and facebook would need to have certain IPs setup to direct you to a warning page. Probably complicated though, given the layers of DNS lookups you go through and Akamai providing the back end, etc.

      Also, the ISP can easily determine which clients are infected and send them an email. I would think doing so would be in their best interest to avoid the calls to their helpdesk when things

  • by Anonymous Coward

    Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz

    -Thorne

    • by PPH (736903)

      They could have sold advertising space on that page to Microsoft. Or Apple. "Fix that PC now! Upgrade to ...."

      The FBI would have been fully funded for the next decade.

    • by Jiro (131519)

      We don't want to teach users that if they open a webpage which claims the computer is compromised and tells them what to do, that they should obey. That's how a lot of malware gets installed in the first place.

    • Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz

      This is every phishers in the world wet dream.

  • When citizens start learning that they can't expect the DNS system to just allow them to continue to be a part of a BOT because they don't care because they are thrown off the Internet, the sooner they will learn to take responsibility for their own equipment one way or another.

  • About Time.... Then the people will know they have a problem.. right now, they think everything is fine.

  • More to the story? (Score:5, Interesting)

    by dualboot (125004) on Wednesday July 04, 2012 @04:49PM (#40544485) Homepage

    I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?

    Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.

    • What is it that you imagine they could learn that way?

      • by dualboot (125004)

        What can you learn by resolving every single dns query from someone using an internet connected machine?

        Quite a bit.

        Imagine the scary amount of information Google knows about people who use their service. Especially combined with the fact that almost every site out there now uses Google Analytics and/or Google Advertisements.

        I realize it sounds very tin foil but intercepting all DNS queries can give you a pretty good fingerprint of a user.

  • If you run a botnet, better check any of your zombies for this and fix them quickly. Otherwise they might get attention from a PC tech who'll remove your code as well.

    (Isn't this the likely result from delays?)

  • by nuckfuts (690967) on Wednesday July 04, 2012 @05:10PM (#40544651)
    The DNSChanger malware can change DHCP server settings on some routers [fbi.gov]. If your home router has been tampered with, it may continue to provide rogue DNS settings even after your PC has been cleaned or reinstalled.
  • by reallocate (142797) on Wednesday July 04, 2012 @05:30PM (#40544803)

    For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.

    Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.

    Pull the plug and go catch some crooks.

  • My guess is all the corporate phbs bigwigs who love to still use XP/IE 6 with no updates because it is cheaper to have IT just put out fires to help boast the share price are the ones in for a surprise.

    With Symantec endpoint I am sure it would be detected ... yeah right

  • Seems that a clear posting that describes how to fix the problem would be the most useful to the most people.
  • by smash (1351)

    If these machines are attempting infect others, sending spam, and doing all the other malicious botnet type activity they no doubt are being used for, or could be used for then cut them off.

    Leaving them working, but infected because the user is too ignorant to fix the problem (which has been present for well over a year now) is a liability.

  • by kriston (7886) on Thursday July 05, 2012 @12:13AM (#40547801) Homepage Journal

    It really does matter for the underserved internet community who rely on affordable and sometimes outdated DSL modems for their access to the internet in rural areas. Many of these DSL modems have been infected by a scary variant of the DNSChanger Zlob trojan that actually changes the DSL modem's DNS settings and changes the DSL modem's password to an unguessable value. The most detrimental effect of this infection is a virtually irreversible firmware change in an unknown but probably high number of DSL modems worldwide which are permanently affixed to the rogue DNS servers, now siezed and run by the FBI as clean, boring caching DNS servers. They will be shut down July 9 because the FBI doesn't want to be an ISP, which has the effect of cutting off an unknown number of people from the internet.

    It's not a small problem. It's a big problem. The cost of help desk calls alone will be devastating to the disadvantaged and underserved internet community, i.e., rural America, who may be using the affected DSL modems infected by this Zlob trojan variant.

    The most important note you must realize about this problem is that DNSChanger actually changed the DNS servers on the DSL modem. Just in case you don't realize this: the DSL modem provides the DNS server info to the computer in the home. While the computer may no longer be infected, the DSL modem is configured to use the DNSChanger rogue DNS servers which the FBI siezed and will shut down on July 9.

    It's a really big deal and we should treat it like that.

    You can check more out here: http://www.dns-ok.us/ [dns-ok.us]

    • by jbolden (176878)

      I'm not seeing how this is devastating to rural America. This generates a service call. The ISP either gets an up-sell opportunity or they bill for the fix. The rural person making the call either gets a free fix or the pay $50 for service. The whole thing works about to (using the 4m number) at most 4mx$50 = $200m in costs. That's about a 1/2% of annual cable revenues in the US. Where is the devastation?

      • by kriston (7886)

        They won't bill for the fix and they won't try to up-sell. The real worry is the fact that modems will need to be replaced. I didn't make it clear in my original post that the DSL modem variant of the DNSChanger Zlob trojan really does brick the DSL modem once the FBI shuts the servers off. That costs a lot of money in labor and equipment.

        Perhaps I also wasn't clear that these people don't have a lot of money to begin with.

        • by jbolden (176878)

          I took it that they would need to be flashed potentially. I figured a mass purchase of DSL modems are like $20 each. I had room for some level of service in my $50, estimate per head. The number might be too low, but where poverty is rampant labor is cheap. If my $50 is off and it should be $75 I would agree that rural DSL customers aren't likely to have lots of extra money.

          Almost all the country at this point has Broadband. The FCC has been taxing to make availability happen. Looking at the current

  • Don't cut them off - do like the hotels do and take them to a splash screen asking for their credit card numbers so they can pay if they want to continue to use the internet on a service that is costing money to run and which they can't connect to normally because of their own wilful ignorance on security.
  • Rather than people infected with shit knowing there is a problem and getting help before they get even more owned the FBI activly acted to cover up the problem by continuing to run the DNS service leaving users to remain clueless.

    God knows I hate lawsuits yet on some level it would be awesome if someone filed one against the FBI anyway even if it had no chance of succeeding. It just might make them think twice before they decide to repeat this stunt.

  • 1. Yes they should shut it down.

    2. The should have a stockpile of dunce caps ready to mail to people who, despite having had months of warning, never bothered to even check if they were infected. There have been a myriad of public warnings about this, and instructions/tools on how to check. I am a reasonably advanced tech person, and even I checked my machines because I am not so proud as to believe I am flawless.

    3. For everyone talking about web sites... This is not just web sites. Everything you do on t

  • There are a few Private DNS systems that live outside the 'official' DNS system that allow people to find what they want regardless of a domain being 'seized'. If they don't control the DNS system they can't remove widescale access to specific domain without actually getting to the physical server.

    What I expect is going on is the FBI is going to kill access to these private DNS systems, or, they are engaging a global DNS logging system, or both.

    Private DNS systems may be blocked for a short time until a way

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...