FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs? 140
nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
Chances are... (Score:1)
those machines are primarily used to connect to Facebook... so allow me to say:
and nothing of value was lost
About time... (Score:5, Insightful)
They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?
Re: (Score:1)
No, they should have not resolved any addresses except for those that started with "www." Those address should have pointed to a warning page when accessed by html. That way people would have been warned earlier. That is basically how they allow the detection, i.e. infected machines access one address and uninfected detect others. There isn't really a reason that they can't do it for all html pages. I mean, just cutting them off would break programs that access html anyway.
Re: (Score:1)
The users will call their ISP, and they will figure out very quickly what the problem and pass them off to someone to fix it.
Perhaps one or two people might figure out that computers requite maintenance, just like a car does, and that maybe paying for such maintenance is a good idea.
But I doubt it.
Re: (Score:2)
They could notify them before shutting it down, for example.
Re:About time... (Score:5, Interesting)
Of course the problem is THAT would open up a whole other can of worms.
Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.
Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.
Re:About time... (Score:4, Funny)
They can sign the message with the FBI key so users can ensure its validity.
Re:About time... (Score:4, Insightful)
Re: (Score:2)
The machines infected can just as well be on a neglected company network. But even if they don't believe the popup the first time, if it pops up before every page they visit most people will realize that the chances of a malicious popup writer owning the whole internet are small.
Re: (Score:2)
Re: (Score:2)
But that also leads to the conclusion that the system is infected.
Re: (Score:2)
You severely overestimate the average consumer.
Re: (Score:2)
Which is why the FBI page should carefully explain to never follow links on pages like this, and instead to contact their ISP for information how to fix their DNS.
Which I suspect is what it did.
Re: (Score:2)
Re: (Score:2)
There are probably a h
Re: (Score:3)
There are probably a handful of sites - Google, MSN, Facebook, etc - that practically all of those people will access. Why not ask those companies to post some information about how to check if you're infected and/or how to fix the infection? It seems like this thing could be fixed pretty easily if you had the biggest sites on the Internet on board.
People don't trust an email from "teh FBI" but they sure as hell trust what comes up on the Google or Facebook home page.
Or is it unthinkable to ask the biggest players on the Internet to be good net citizens and help out a little bit for the good of everybody?
You mean they should do something like what Google and Facebook [theregister.co.uk] are doing?
Re: (Score:2)
Gee, that was fast. I'm glad they liked my suggestion.
Re: (Score:2)
Done, and then the date was pushed back and everyone warned again. The 300K remaining are apparently invulnerable to the armor piercing clue.
I agree that maintaining the redirected DNS for a time and issuing a warning was appropriate, it's just that time is months beyond up now.
Re: (Score:1)
The FBI could be liable. Especially if corporate or government computers became infected and no anti virus package had the definitions for it at the time assuming it started as a 0 day exploit,
Re: (Score:2)
They should have, but then the FBI would not have had unobstructed access to all information flowing through their new DNS servers...
Re: (Score:2)
They never will learn. Well maybe some of them will but most of them just want their computer to run and nothing more. IMHO you can't change the older ones that are in the system because they don't want to learn anything. It's very much like the Matrix (IMHO) but it's true.
Re: (Score:2)
Well, isn't there a way to trick/force all these computers who are affected to go to a website stating: "Yo, you've be hacked and infected. We have taken down the websites, but you are still infected. Do this to get fixed."
Re: (Score:2)
They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?
By them instead routing 100% of their internet pages to a site telling them they have a virus and how to undo the rogue settings. Then again a malicious browser hijacker telling you to do something shouldn't be trusted but obviously these people are pretty stupid to begin with so it would sort of work.
Re: (Score:2)
Because that trains bad behaviour (obeying instructions to modify system settings in a hijacked browser). If the DNS simply shuts down (or had shut down from the start, as it should have), the user might not have learned good behaviour (by being told why the problem had occurred), but at least would not have learned bad behaviour.
Yes, it should shut them down (Score:5, Insightful)
It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.
Re: (Score:3)
6 months warning? Where? I guarantee, if I were to go into work on Monday and say "hey, have you heard about that whole DNSChanger thing?"...2, maybe 3, out of 75 would say yes. And those because they read it here.
Re:Yes, it should shut them down (Score:5, Insightful)
http://www.dcwg.org/ [dcwg.org]
It's been in every antivirus program update since January. It's been covered on every PC-related Web site out there. Facebook has been warning anyone who visits while infected about the problem since early June. It's been the Malicious Software Removal Tool Microsoft sends monthly through Windows Update for months now. The only people who don't know about the problem are the ones who've been willfully refusing to look at anything related to the security of their computers. Well, you can't safely do that. That's been, or should have been, common knowledge for the last 20 years.
Re: (Score:3, Insightful)
Ah, but grandma-joesixpack has been on the internet with Windows for years. She's been burned. She now ignores ALL sorts of warnings because she figures they're more of those damn malware clicks and emails that she sees all the time and must never click.
Are they warning people on the paper bill from the ISP? That's the only thing that's going to do it. On the same page with the payment information -- because there's always advertising shit included that she knows to toss straight to the bin. Worded like "WE
Re: (Score:3)
If grandma-joesixpack is that computer-illiterate, she shouldn't have to be watching out. She should be letting someone more computer-literate set her computer up, including antivirus and automatic updates and all, and when the AV program and Microsoft's MSRT started alerting she should've called said computer-literate helper to fix things.
And why would we assume she's computer-illiterate? My mother knows enough to call for the tech when things get weird, and she's 70 and just got her first computer. My gen
Re: (Score:2)
If she has that little idea about it, she's not going to take action until "the internet is broken". Kill the redirected DNS so she will truly understand that something's wrong and will contact someone who can fix it for her.
Re: (Score:1)
This trojan uses pnp exploit to reset the routers firmware to use the hacked DNS settings.
No amount of AV software nor a new computer hooked into the network can escape this. Logging into the router is out of depth of average users knowledge and expertise and my guess is this and inept corporate IT departments who use unpatched Windows (almost all of them) are the majority of those that are left. So I do not blame these users.
They will have to call their ISP on instructions on how to reset their DNS setting
Re: (Score:2)
Fuck that, yes they should turn off the DNS servers, and there is only one valid reason why they should - the FBI has no duty of care to *any* of these people to keep their Internet running. Turn the servers off, let the Internet break for these people, let them learn the lesson they should be learning.
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Why not set up interstitial pages? (Score:3)
Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected and how to clean it.
They have to click again in order to get through. Set the TTL of the DNS caching to nil so it happens practically every link - simply bombard them through annoyance?
Oh, and sure it'll break stuff like e-mail and all sorts of other non-HTTP protocols, which is good because they'll hopefully call tech support or something.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It will train them to believe that "checking your computer for viruses" scam ad the next time they see it.
Re: (Score:2)
Re: (Score:3)
So how do you make a "You're infected with X" page people actually trust?
Don't offer to sell them anything and point this out.
Tell them to contact their local computer support folks but don't make specific recommendations.
Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.
Re: (Score:3)
Don't offer to sell them anything and point this out.
Tell them to contact their local computer support folks but don't make specific recommendations.
Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.
When something like this happens most peoples machines who had been compromised were compromised as a result of a user taking an action most of us would sigh and laugh at.
They did not have the awareness to keep from being suckered or con'd or whatever so what makes you think they will have the awareness to parse the difference between the FBI doing it and a real attacker?
It simply does not work to try and push the official message thing it only makes things worse because now the phishers are able to leverag
Re: (Score:2)
The 1-800 number is still a reference an attacker may control. They may even decide to sucker a few people into calling the "FBI switchboard" in order to rack up service charges on their phone bill.
How do they take control of the phone books?
Personally I think a central method of verifying government actors and actions as legitimate in the sense it was not something made up by an imposter would have a lot of value outside this specific issue.
But if you're rootkitted then you can't trust the computer anyway.
Re: (Score:2)
Those infected are more likely to trust whatever passes their eyes so it will probably work.
Re: (Score:2)
Re:Why not set up interstitial pages? (Score:4, Informative)
Re: (Score:2)
Re:Why not set up interstitial pages? (Score:4, Interesting)
Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected
The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.
It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.
Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.
The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.
Re: (Score:3)
Redirect all their queries to a page with Goatse and an admonishment to clean their computers.
Re: (Score:2)
Something like this would be possible. Don't redirect everything, just a few key sites like facebook and google. Google and facebook would need to have certain IPs setup to direct you to a warning page. Probably complicated though, given the layers of DNS lookups you go through and Akamai providing the back end, etc.
Also, the ISP can easily determine which clients are infected and send them an email. I would think doing so would be in their best interest to avoid the calls to their helpdesk when things
Are they stupid??? why not redirect? (Score:1)
Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz
-Thorne
Re: (Score:2)
They could have sold advertising space on that page to Microsoft. Or Apple. "Fix that PC now! Upgrade to ...."
The FBI would have been fully funded for the next decade.
Re: (Score:2)
We don't want to teach users that if they open a webpage which claims the computer is compromised and tells them what to do, that they should obey. That's how a lot of malware gets installed in the first place.
Re: (Score:2)
Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz
This is every phishers in the world wet dream.
Sooner the Better (Score:2)
When citizens start learning that they can't expect the DNS system to just allow them to continue to be a part of a BOT because they don't care because they are thrown off the Internet, the sooner they will learn to take responsibility for their own equipment one way or another.
YES! Turn them Off (Score:1)
About Time.... Then the people will know they have a problem.. right now, they think everything is fine.
More to the story? (Score:5, Interesting)
I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?
Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.
Re: (Score:2)
What is it that you imagine they could learn that way?
Re: (Score:1)
What can you learn by resolving every single dns query from someone using an internet connected machine?
Quite a bit.
Imagine the scary amount of information Google knows about people who use their service. Especially combined with the fact that almost every site out there now uses Google Analytics and/or Google Advertisements.
I realize it sounds very tin foil but intercepting all DNS queries can give you a pretty good fingerprint of a user.
If you run a botnet... (Score:2)
If you run a botnet, better check any of your zombies for this and fix them quickly. Otherwise they might get attention from a PC tech who'll remove your code as well.
(Isn't this the likely result from delays?)
Cleaning infected computers may not be enough/ (Score:5, Informative)
Pull the Plug; Go Catch Crooks (Score:5, Insightful)
For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.
Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.
Pull the plug and go catch some crooks.
Re: (Score:2)
Don't be silly. Random DNS records? Sure.
Mostly corporate PCs left (Score:1)
My guess is all the corporate phbs bigwigs who love to still use XP/IE 6 with no updates because it is cheaper to have IT just put out fires to help boast the share price are the ones in for a surprise.
With Symantec endpoint I am sure it would be detected ... yeah right
Where is the fix (Score:1)
YES (Score:2)
If these machines are attempting infect others, sending spam, and doing all the other malicious botnet type activity they no doubt are being used for, or could be used for then cut them off.
Leaving them working, but infected because the user is too ignorant to fix the problem (which has been present for well over a year now) is a liability.
It matters for the underserved internet community (Score:3, Informative)
It really does matter for the underserved internet community who rely on affordable and sometimes outdated DSL modems for their access to the internet in rural areas. Many of these DSL modems have been infected by a scary variant of the DNSChanger Zlob trojan that actually changes the DSL modem's DNS settings and changes the DSL modem's password to an unguessable value. The most detrimental effect of this infection is a virtually irreversible firmware change in an unknown but probably high number of DSL modems worldwide which are permanently affixed to the rogue DNS servers, now siezed and run by the FBI as clean, boring caching DNS servers. They will be shut down July 9 because the FBI doesn't want to be an ISP, which has the effect of cutting off an unknown number of people from the internet.
It's not a small problem. It's a big problem. The cost of help desk calls alone will be devastating to the disadvantaged and underserved internet community, i.e., rural America, who may be using the affected DSL modems infected by this Zlob trojan variant.
The most important note you must realize about this problem is that DNSChanger actually changed the DNS servers on the DSL modem. Just in case you don't realize this: the DSL modem provides the DNS server info to the computer in the home. While the computer may no longer be infected, the DSL modem is configured to use the DNSChanger rogue DNS servers which the FBI siezed and will shut down on July 9.
It's a really big deal and we should treat it like that.
You can check more out here: http://www.dns-ok.us/ [dns-ok.us]
Re: (Score:2)
I'm not seeing how this is devastating to rural America. This generates a service call. The ISP either gets an up-sell opportunity or they bill for the fix. The rural person making the call either gets a free fix or the pay $50 for service. The whole thing works about to (using the 4m number) at most 4mx$50 = $200m in costs. That's about a 1/2% of annual cable revenues in the US. Where is the devastation?
Re: (Score:2)
They won't bill for the fix and they won't try to up-sell. The real worry is the fact that modems will need to be replaced. I didn't make it clear in my original post that the DSL modem variant of the DNSChanger Zlob trojan really does brick the DSL modem once the FBI shuts the servers off. That costs a lot of money in labor and equipment.
Perhaps I also wasn't clear that these people don't have a lot of money to begin with.
Re: (Score:2)
I took it that they would need to be flashed potentially. I figured a mass purchase of DSL modems are like $20 each. I had room for some level of service in my $50, estimate per head. The number might be too low, but where poverty is rampant labor is cheap. If my $50 is off and it should be $75 I would agree that rural DSL customers aren't likely to have lots of extra money.
Almost all the country at this point has Broadband. The FCC has been taxing to make availability happen. Looking at the current
Re: (Score:2)
One of the reports we were given has stated that the DSL modem variant of the DNSChanger Zlob trojan actually updates the firmware and it will effectively brick the modem when the FBI shuts its servers down.
Re: (Score:2)
That's completely irrelevant. The point is that the ISP needs to spend money to resolve this and in some cases spend a LOT of money to resolve it.
This is America (Score:2)
Security by ignorance (Score:2)
Rather than people infected with shit knowing there is a problem and getting help before they get even more owned the FBI activly acted to cover up the problem by continuing to run the DNS service leaving users to remain clueless.
God knows I hate lawsuits yet on some level it would be awesome if someone filed one against the FBI anyway even if it had no chance of succeeding. It just might make them think twice before they decide to repeat this stunt.
Why is it always web web web? (Score:2)
1. Yes they should shut it down.
2. The should have a stockpile of dunce caps ready to mail to people who, despite having had months of warning, never bothered to even check if they were infected. There have been a myriad of public warnings about this, and instructions/tools on how to check. I am a reasonably advanced tech person, and even I checked my machines because I am not so proud as to believe I am flawless.
3. For everyone talking about web sites... This is not just web sites. Everything you do on t
This isn't what it seems... (Score:2)
There are a few Private DNS systems that live outside the 'official' DNS system that allow people to find what they want regardless of a domain being 'seized'. If they don't control the DNS system they can't remove widescale access to specific domain without actually getting to the physical server.
What I expect is going on is the FBI is going to kill access to these private DNS systems, or, they are engaging a global DNS logging system, or both.
Private DNS systems may be blocked for a short time until a way
Re: (Score:2)
This. Also, there will be quite a few legit issues masked by this problem and tech support will just tell them "fix your DNS -click-" when in reality the issue could be on the ISPs end.
Agree (Score:2)
Re:Agree (Score:5, Interesting)
In fact, if I recall correctly, the major variants of DNS changer pop up windows saying you need to install X malware that pretends to fix problems.
Re: (Score:2)
"you have been infected, please call your service provider for assistance"
Re:Agree (Score:4, Insightful)
Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...
Re: (Score:1)
Sure, but how many ISPs really have the resources to fix this problem? After all, an ISP deals with the network side of things, not fixing viruses. If the ISP's DNS server is down, you call your ISP. If the ISP cut a fiber optic cable and your internet is down, you call your ISP. If your HDD is broken, you don't call your ISP. If you get a virus, you don't call your ISP. Etc.
Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...
The problem is once your machine becomes infected it uses a plugnplay exploit to reset your routers DNS settings. So it is now the ISPs problem as even if you clean or even buy a new pc you will be cut off and Joe Sixpack doesn't know what a DNS is. All he knows is his internets stop working and since he got a new computer it is therefore the ISPs fault.
Re: (Score:2)
well, that line blurs when the isp has figured that a way to make extra money is to hard sell a branded av subscription along with the internet subscription...
Re: (Score:1)
Re: (Score:2)
Most users are stupid and will click okay to anything. They should have redirected to a page with an applet, activex, or some other bit of code that the user will blindly click okay to run that will change their DNS settings to OpenDNS or google's public DNS servers.
Re: (Score:3)
Re: (Score:2)
Re:The right thing to do... (Score:5, Funny)
Clearly, then, they should redirect everyone to MyCleanPC ;)
Re:Minor question. . . . (Score:5, Informative)
The FBI didn't change any settings. The malware did that, it alters the infected computer's DNS settings to use a set of servers run by the malware authors. What the FBI did was take over those servers and replace the malicious software running on them with software that does normal DNS so infected computers were no longer being redirected to the malware author's sites. And now the FBI's looking at shutting down the servers entirely, which would leave the infected computers with no DNS servers at all.
Re: (Score:2)
Re: (Score:2)
The "rightful owners" were the malware authors who were infecting PCs and running the botnet. The FBI got the authority when they charged those authors and got a warrant to seize the servers.
Re: (Score:2)
Yeah! I have the same problem with the DEA! I mean, sure, they can arrest people for possession of drugs, but what gave them the authority to just _keep_ my drugs?
Wait, I forgot, I'm not an idiot who doesn't understand that, yes, the government will seize property that is actually part of a crime.
(As for the 'outside the US thing'...um, the FBI presumably worked with whatever country that was. Duh. Armed FBI agents don't just randomly break down doors and arrest people in other countries.)
Re: (Score:1)
I'm giving a fair warning now: You may want to put your guard up while you still can. The government is taking d
Re: (Score:2)
Congress has pretty broad authority over just about any communications related activities that occur on US shores. The FBI doesn't have to sneak congressional rule in. They have it. The FBI doesn't have to push for the authority to shutdown YouTube. Google, who owns YouTube is a US company, they just need to hand them a takedown order if Congress or the courts wanted it down.
Re: (Score:1)
Re: (Score:2)
4,8,9?
4 doesn't apply to public information presented openly. If they don't have to search....
8 doesn't apply to a take down, that's neither cruel not unusual it is SOP for illegal content
9 would apply if the Congress did something like required all websites to get prior approval for all changes or additions, maybe.
Re: (Score:2)
I don't think you know what 9 means. 9 prohibits the government from creating negative laws. Something like "everything on the internet is illegal unless specifically authorized" would be illegal under 9. 9 does not prohibit the government from creating black letter law about anything they want. Other parts of the constitution might but 9 does not.
Seizure of property as part of an arrest, is standard and has been. People suspected of shootings get their guns taken. People suspected of drug dealing ha
Re: (Score:2)
Let me just point out a few George Washington quotes:
It may be laid down as a primary position, and the basis of our system, that every Citizen who enjoys the protection of a Free Government, owes not only a proportion of his property, but even of his personal services to the defense of it.
Laws made by common consent must not be trampled on by individuals.
The basis of our political system is the right of the people to make and to alter their constitutions of government.
I would suggest that you are reading f