Disconnection of Millions of DNSChanger-Infected PCs Delayed

tsu doh nimh writes "Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States."

Re:Hype

[gnick]

Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

Re:Hype

[sidthegeek]

This is Slashdot. No one here needs to worry about that kind of thing...

Re:Hype

[K. S. Kyosuke]

Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

If you think that about the Trojans, then obviously, computers are all Greek to you.

Meh

[Anonymous Coward]

I really don't see the big deal, I mean I

Re:

[camperdave]

I really don't see the big deal, I mean I

A part of me misses the days of the #*&^a No carrier.

Let it happen

[jdastrup]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Re:Let it happen

[Anonymous Coward]

Why would we want infected computers to exist on the Internet anyway? The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

If they could be disconnected in stages, so centralized support outlets are not overwhelmed, that might be a more graceful letdown for the infected owners.

Re:Let it happen

[na1led]

It's a good test to see how secure your systems really are. If your PC's are infected, then it's time to recheck your security.

Re:

[Anonymous Coward]

I am behind this100%

Pull the plug and replace all the computers that stop working. All of these machines could have other security holes. Because the DNS is still working, many people may not know they were infected.

The only other thing I may suggest is to redirect all DNS queries to a page that says:

The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

Re:

[Frank T. Lofaro Jr.]

The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

Most people wouldn't believe it. They'd call Microsoft and when they find it still exists, they'd say the message was a lie - since most people think Microsoft controls their computer and the Internet.

LOL.

Re:Let it happen

[garyebickford]

The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

Yes, this is the Broken Window Fallacy [wikipedia.org].
To quote:

The parable, also known as the broken window fallacy or glazier's fallacy, demonstrates how opportunity costs, as well as the law of unintended consequences, affect economic activity in ways that are "unseen" or ignored.

Re:

[jdastrup]

How is much cash involved when someone home PC stops working? I can see if businesses are impacted, but I think their numbers about "half of Fortune 500 companies" is a bunch of bull - maybe they have a few that are infected, but nothing business crippling. I think it's more of the fear of the uninformed, as well as the USGov wants to pretend to be the Saviors of the Internet, which gets all sort of support in the future to regulate and tax the Internet. "If it wasn't for us, you wouldn't have an Internet.

Re:

[rossz]

How is much cash involved when someone home PC stops working? I can see if businesses are impacted, but I think their numbers about "half of Fortune 500 companies" is a bunch of bull - maybe they have a few that are infected, but nothing business crippling.

How much does it cost us to allow these infected computers to remain on the internet?

Booting them off the internet is a good idea, but doesn't fix the underlying problem. PEBKAC.

Re:Let it happen

[vlm]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

Note I'm not completely tinfoil hat here. I'm not suggesting that the govt wrote the virus or infected the computers. I'm merely suggesting this MIGHT be something like the syphilis experiments done on minorities decades ago... leave them infected, watch carefully, see what happens... Obviously a packet sniffer on the incoming DNS traffic tells you how many there are, you can generate all kinds of interesting graphs and studies and reports... You also have at least one pretty strong data point on security update habits, because they were not updated when infected. I would imagine some interesting data is being generated that would be eliminated if the "experiment" were terminated early.

Re:

[X0563511]

Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

That would work if the alternative wasn't said government disconnecting them.

Re:Let it happen

[AK Marc]

http://en.wikipedia.org/wiki/Tuskegee_syphilis_experiment [wikipedia.org]

And never, ever, look up diseases on Wikipedia. Too many good pictures of icky stuff.

Re:Let it happen

[jbov]

If the two items in bold below were not true, then they would shut down the DNS servers immediately.

FTFA:

Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

Gotta keep everything running for the good ol' boys.

Re:

[K. S. Kyosuke]

If the two items in bold below were not true, then they would shut down the DNS servers immediately.

FTFA:

Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

Gotta keep everything running for the good ol' boys.

Sounds like a good reason to hack those DNS servers and remove the hacked computers from the network ourselves, doesn't it? Two birds with one stone...

Re:

[tiberus]

I can sort of see some merit (from a it's gonna cost me money perspective) to let companies and the government have a brief period, like a month not months, to do some clean up. There are a lot of factors to consider; e.g. it would be devastating to a company to suddenly lose 1/2 of their systems (I think we'd call that a disaster recovery scenario). Giving them an extension seems a bit silly though.

Re:

[vlm]

Hooray for /. binary thinking.

You don't "leave it on forever"/"shut it down forever". You turn it off from 0900 to 0901 today. Then 0900 to 0902 tomorrow. Then 0900 to 0903 the next day. Worst case scenario this BS is over in a mere 1440 days or about 4 years. Some people might freak out and fix it the first day, some people might not notice for a couple months, but eventually they'll all deal with it in their own way.

Re:

[Frank T. Lofaro Jr.]

What if it's Air Traffic Control?

Lots of planes could crash in a minute.

Re:

[izomiac]

If such critical systems are compromised then it's better for them to go down randomly for a short time for reasons easy to identify than to let them continue running and likely be shut down (or tampered with) maliciously at the worst possible time.

Re:

[Anonymous Coward]

Why the hell would mission critical ATC computers be connected to the internet in the first place? So they can play Warcraft between take-offs and landings?

Re:

[Anonymous Coward]

"Science isn't about why, it's about why not. You ask: why is so much of our science dangerous? I say: why not marry safe science if you love it so much. In fact, why not invent a special safety door that won't hit you in the butt on the way out, because you are fired." -Cave Johnson

Re:

[dissy]

Meh, they might as well just shut the DNS servers down fully.

The type of people who run their computers this way (always infected, never updated, no AV) are used to their computer to just up and stop working all the time.

They will simply go out and purchase a new one to replace the old 'broken' one, which will end up in the trash - and at the very least off the Internet.
Best case they give it away to their "computer guy" buddy, who will wipe it and have a free computer. It's a win-win!

Re:

[Capt.DrumkenBum]

It is good for the economy too. Lots of people running out to buy new computers. Or at least running out to their local computer shop to get things fixed.

Re:Let it happen

[rtb61]

In this case the solution is simple. Consider the trojaned computers as out of control devices to be used to aid criminal activities. Present the information to the court, with plenty of public notice and seek a warrant to digitally enter those computers, remove the offending software, conduct a minimal repair to lock out the trojan and leave a blatant on boot up notification of what has happened and what they need to do to prevent it happening again. Ensure the notification is easily removable.

Just like anything else left out of control, the police and entitled to enter and seek to deactivate the out of control entity. The same in this case. Don't shut down the computers fix them and notify the owners of the fix and provide a warning, "Next time it will be assumed that you are a knowing part of the bot-net and you and your infrastructure will be raided and you will be required to provide proof that you did not willingly participate in this activity or face a fine".

Re:

[Anonymous Coward]

As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

Re:

[Heretictus]

As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

I agree with this statement. I have been involved in this effort as well. There are two user demographics here: Business; and Consumer. In the consumer space, ISPs have been contacting their infected customers for two months now. I'm told customer remediation rates following notification are hovering around 15% across the Tier 1 and Tier 2 ISPs. So customers are notified, directed to a web portal containing additional information and links to the removal tool, and still only 15% are completing the task. If

Re:

[poena.dare]

Please, yes. These infected moroons are tomorrow's clients and damn I need the cash!

Very odd details

[bigbangnet]

this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

btw, you can read this guide to check your dns.

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Re:

[dyingtolive]

I notice there's no directions for those running Linux...

Re:

[X0563511]

Kind of hard for a Linux machine to get infected with a Windows trojan. Even if it managed (through Wine) the trojan changes network settings - something totally incompatible between them (so the Wine API would fail, there).

I'm sure there ARE infections that could do the job, but they are not this one.

Re:

[dyingtolive]

Well, it mentioned OS X instructions so I didn't know what to think. Upon looking at it a second time around, I see the instructions offhandedly mentions affecting SOHO Routers, so maybe that's why the Apple instructions are there, but if that's the case, I think my previous observation still stands.

Re:

[jesseck]

I'm not sure I understand your point... your Linux system can be infected in a similar manner- /etc/hosts functions the same as c:\windows\system32\drivers\etc\hosts. The DNSChanger Trojan targets Windows, though. Windows also asks permission before you perform administrative tasks, just like Linux- but many Windows users are already an Administrator, so they are not asked to log in again. It would be similar to you using "root" as your Linux login (no need to "su" to install). You can edit /etc/hosts w

Re:

[Lehk228]

there are similarities, but on windows it's still common for software to fail if not running as administrator, OTOH linux is more likely to have problems with software failing to run if you are running as root

Re:

[bejiitas_wrath]

There was a person that was infected with Linux Malware through Macromedia Flash. That is why I have disabled that firefox plugin.

https://www.youtube.com/watch?v=94QsgdXnsmU [youtube.com]. Another reason why flash sucks. Sure HTML5 is proprietary, but Totem has a Youtube function and Smplayer can play Youtube videos as well apparently.

Re:

[Zocalo]

They've been trying to get the word out. OK, that word has looked very much like a phish, but it has gone out. The issue has also been discussed in many of the kind of places where people in a position to do something about the problem hang out such as Ars, NANOG, Slashdot, and so on. At this point, if a PC has not been reconfigured then I'd say that the chances are that it won't be until it gets replaced or rebuilt, so there are three options:

1. Pull the plug, cutting off those who are infected. My pre

Re:

[vlm]

Option 4 which I guess outs me as a NANOG reader type of guy, is for an ISP or large corporation to BGP advertise the DNS servers specific netblocks as themselves (obviously route filter not to send to their upstreams or they'll get really pissed off) and run their own servers and then implement whatever they want whenever they want.

I don't do the windoze thing either at home or work, so I've been sorta ignoring this, but I think I read it was only 4 little /24s that need to get this treatment.

If you don't

Re:

[AK Marc]

And a technically incompetent "solution" that causes all people with any knowledge to question the motives. If they wanted to "get the word out" they could replace the DNS server with one of their own that only served an IP that was for a warning page for all queries. Everything the person tried to go to would be an 800 number for technical support and a description of the problem and reason they are getting that page. And yes, I get the irony of a government page interrupting browsing with a "you are in

Re:Very odd details

[eulernet]

Wow, it seems that I'm infected: I get a weird page for http://megaupload.com/ [megaupload.com] !

What OS are we talking about?

[hcs_$reboot]

Does the problem apply to Mac OS or Linux? Please be specific.

Re:What OS are we talking about?

[X0563511]

Lazy, aren't you? Google the Trojan name, and the very first result tells you.
Trojan:W32/DNSChanger [f-secure.com]

That's if the context didn't tell you... Hmm, a Trojan infecting millions of machines to the level of getting courts involved. You really expect that to be Mac or Linux?

Re:

[similar_name]

Don't forget to Google OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C

Re:

[hcs_$reboot]

Well, maybe it was not that funny after all.

Consequences

[Gothmolly]

Another example of how the US government is trying to shield people from the consequences of their actions.

Re:

[c0lo]

Another example of how the US government is trying to shield people from the consequences of their actions.

Not only that, but... ;) I wonder just where the world is heading? How can a honest cybercriminal earn nowadays her/his living without fear of being extradited in US? ;)

Re:

[sorak]

Another example of how the US government is trying to shield people from the consequences of their actions.

Is it that, or is it the government trying to shield people from the consequences of other people's actions?

support calls

[vlm]

Maybe they're trying to eliminate terrified support calls "help help help some virus called DHCP is changing my dns servers just like the one I read about on the news help help help"

Why not use the dummy DNS servers?

[rwhamann]

Why not use the dummy DNS servers to redirect users still attached to them to an informational website that tells them how to unfuck themselves? Make it a clearly labelled site with a very simple, obviously .gov URL so people trust it? If my ISP can pop up a frame telling me I'm approaching the bandwidth cap, why can't the FBI?

Re:

[vlm]

90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.
9% of the idiotic masses are going to call a fox news call in program and explain how its an indonesian commie plot to eliminate christianity from america, or some NPR radio show and ramble on about weed legalization would have prevented this in the first place and its all Bushes fault anyway.
1% of the idiotic masses are going to call 911 and they are gonna be pissed off

Re:Why not use the dummy DNS servers?

[CanHasDIY]

Don't forget the .000001% who will flame the rest of society in online forums for not being as omniscient and infallible as they believe themselves to be.

Re:

[NoKaOi]

90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.

Vs. 99% who would call their ISP if they were suddenly unable to reach Google and Facebook? Seems like a redirect with instructions on what to do about it would generate fewer calls than disconnecting, and any ISP with even the tiniest bit of competence should update their Indian scripts so the Indians can tell the customers what to do.

Also, as far as your 90% goes, shouldn't you be happy if people are cautious and aware enough to be concerned that what they are reading might be a scam and not blindly c

Re:

[Lifyre]

It's not just some NPR radio show... I believe they call it "Talk of the Nation"...

Re:

[eyenot]

Wow, wtf, for real, why doesn't the U.S. *GOVERNMENT*, of all fucking people, places, or things, have a ready supply of information about how to fucking use your computer the real way?

I like your frame of mind. Until there's a page JUST like what you're describing, my opinion of U.S. government employees and officials as just being undereducated slackers who get elected largely because they felt like running for office and knew how to lie and/or look really pretty... now I'm going to see them (and mention t

Forget computers, they're extraditing the perps!

[GreenTom]

To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US. This news made my day. I know this is slashdot, but malware is not going to be fought through any technical solution. Until this kind of activity carries personal risk, the bad guys are going to win.

Nice to actually feel good about my government, at least for a few minutes.

Re:

[CanHasDIY]

Sometimes.

Re:Forget computers, they're extraditing the perps

[NoKaOi]

To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US.

While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited simply because they disagree with the laws that were allegedly violating. It was the same excuse that it related to machines in the US. What makes the US so friggin' special for them to be extradited? Is what they did not illegal in Estonia? If not, then should they be prosecuted for actions they took while in a country where it wasn't illegal? If so, then why aren't they being prosecuted in Estonia, where they actually were when they did illegal stuff? If we're in one country doing business with another country over the Internet, or doing something on servers in another country, which country's laws should apply? Which country should get to prosecute?

Meanwhile...I still get a dozen 419 scam emails for every craigslist ad I post. While everyone reading this probably thinks that only an idiot would fall for them, there are clearly people who do. Just because somebody isn't computer literate doesn't make them an idiot, there are real people losing real money, and yet the scammers aren't prosecuted because they're "over there" even though they're scraping craigslist's US based servers, sending email to servers and people in the US, receiving money fraudulently through Western Union, a US based company, from the US.

What kind of precedent do we want? Can we at least be consistent?

Re:

[couchslug]

"Why should they be extradited to the US?"

Because they damaged US computer systems on US soil.

Re:

[CRC'99]

Because they damaged US computer systems on US soil.

Awesome. Does that mean other countries can extradite US politicians and business men for screwing over companies and in some cases entire countries?

Oh right, what was I thinking... :\

Re:

[kiwix]

So after they do their time in the US they're going to be judged in each country where a machine was infected? That's fucking scary!

And if I have a website explaining people how to use TOR, and it turns out that explaining this is illegal in China or in North Korea, will I be extradited to those countries?

Re:

[billcopc]

*dons crazy hat*

If the U.S. wants extradition rights abroad, effectively granting them temporary dominion over foreign citizens, perhaps the very concept of country boundaries should be deemed obsolete. I want a unitary world government, not this so-called New World Order founded on lies, violence and greed.

Further down the Star Trek fantasy, if we didn't have global financial abuses, heck - finances at all - there would be no incentive for black hats to hijack computers and defraud total strangers and thi

Re:

[mcgrew]

Adding more layers of bullshit to a flawed system does not fix it. Dismantling the system will.

Before you tear your house down you'd better build a new one, or you'll get wet and cold. You have a system in mind that's better than the present one that doesn't involve matter replicators?

Re:

[billcopc]

My house is fine as it is. It's my neighbor who's a total dick.

Re:

[philip.paradis]

The individuals in question allegedly damaged networks located on United States soil, and we happen to have an extradition treaty in place with Estonia. Wikipedia lists the following references to US/EST treaties:

• 43 Stat. 1849; TS 703; 7 Bevans 602; 43 LNTS 277
• 49 Stat. 3190; TS 888; 7 Bevans 645; 159 LNTS 149

Some nations do not have extradition treaties with certain other nations, but this generally makes it rather more difficult for them to get their hands on accused criminals operating from and/or fleei

Re:

[cdrguru]

Is what they did not illegal in Estonia?

No, it probably is not illegal. Let's see, what country has the most Windows machines? Probably the US is #1 there. So anything that negatively affects Windows machines will have a predominately bad effect on US computer users.

I wouldn't be surprised if there is a specific (unwritten) law in Estonia that says "If you screw with Americans, hat's off to ya." There certainly is such a law in Romainia and Bulgaria.

It may also be the case that in Estonia anything that is done "online" gets a free pass becaus

Shut 'em down

[Todd Knarr]

Shut the surrogate control servers down. The main reason people don't take security seriously is there's never any real costs associated with not taking it seriously. Most of the users of the infected machines probably are thinking "Why should I worry about this? My machine's working just fine.". Well, when the control servers shut down and the infected machines can't access the network at all, the users won't be able to keep ignoring the problem. And maybe, just maybe, having to pay the price for complacen

Extradition

[Anonymous Coward]

What the fuck, another extradition to the US. I wonder if the US would extradite its citizens to Estonia if the Estonian government asked for it.

doesnt make sense

[letherial]

FTA linked

"The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down"

The quickest way to indemnify them is to have them removed from the internet.

computer user: "hey why is this computer not connecting to the internet"
another computer user: "dont know, guess we better get someone that knows something"
someone that knows something: "so this is why...and t

Re:

[billcopc]

It seems you've missed the part where they mention infected Fortune 500 and government machines. If all the infectees were average joes like you and I, they would eagerly pull the plug. But big business and their sock-puppet the "government" are special, they must be protected from the shame of having their noses rubbed in their own steaming shit. They can never be called on their mistakes, because you don't want to piss off all those twitchy lobbyists and their dirty money.

Re:

[jonwil]

I suspect the reason for the delay request is that some of the computers that remain infected are computers that are important, i.e. if those computers stopped working or stopped being able to connect to the internet, companies would loose money or worse.

Better Call Saul

[sesshomaru]

"Not some mystery benefactor, singular. That would raise too many questions. However... stay with me here... Zombies. I got a guy who knows this guy who knows this Rain Man-type. He lives with his mother in her basement in Belarus. So good luck extraditing his fat Russian ass. Wait. He's a hacker-cracker extraordinaire. This guy can hijack random desktops all around the world, turn 'em into zombies that do his bidding. For instance, he can make it so, 20 or 30,000 little donations come in from all over the

There should be no impact

[DarkOx]

The only users who should be affected are home home users, and its not going harm the economy any if John and Sally can't get to Facebook until they pay their local Nerd Herd agent $60 to fix their PC. Hell it might help the economy because its going to spur some activity, and result in those machines getting cleaned and patched which will in turn prevent future frauds and botnets.

As to the F500's, and even the smaller down to a hindered or so head count shops. This should be a non issue. First they prob

Why do we have to do anything?

[WillgasM]

From what I've read this doesn't sound any more stealthy or tenacious than any other modern trojans. If you're running up-to-date AV like you should, then you should already know you have an infected computer (and be doing something about it). I don't see why anything out of the ordinary needs to be done. Just shut down the rogue servers. If people didn't know they had a problem before, they will then. How would this be any different from a virus that simply disables your internet connection? I see complain

Re:

[Skapare]

Serving valid DNS data to allow access to sites like virus checkers/removers, and the OS providers (I have a very good idea which one that is), makes it easier for home and small business users to get their computers cleaned up. However, they SHOULD make OTHER sites just go to a page that tells them their computer is infected with a virus that interferes with the computer's ability to locate web sites on the internet. It will be a LONG time getting them all cleaned up otherwise.

What should be done, instead ...

[Skapare]

... is track down the owners of these computers and charge them ALL with the misdemeanor aiding and abetting cybercrimes. Let's put the blame where it belongs ... on dumb people who allow their computers to be infected. In this case, since there was no damage by these owners to others, it can be a misdemeanor. But if it did involve damage to others, then it should be a felony charge.

Re:

[Skapare]

Maybe little brats like you should read what was written. I said nothing whatsoever about expecting these dumb people to harden their computers. Of course it is almost impossible. I do in fact know that. And that is exactly why I stated what I did. And that is the lesson these dumb people need to learn. They need to learn that their choice of getting a computer that the vendor has not already hardened is what is causing problems not only for them, but also for everyone else. If the buyer side of the

Gov machines too

[flyingfsck]

They cannot stop the servers, because then half of government machines will stop working too...

What the ... ?

[X.25]

The really scary news is the fact these guys are getting extradited.

It's not that they don't deserve great eternal suffering, it's just that this is getting out of control.

Genuine question - when was the last time US has extradited its own citizen?

Would US extradite a person who killed 24 civilians? If not, why (besides blackmails/threats from US govt) are people supposed to extradite people to the US? Will we have US requesting extradition for someone talking bad about their president (sorry - CEO), in 5 y

Re:

[wiedzmin]

It's true for users who don't realize their freaking DNS servers have been changed... Facebook doesn't open = no internet. What I don't understand is why they don't setup a captive portal that opens a message for them saying they are infected whenever they try to go to any website, instead of just shutting the servers down. And while we're on the subject - is it being delayed or not!?