Disconnection of Millions of DNSChanger-Infected PCs Delayed

tsu doh nimh writes "Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States."

Hype

Just a bunch of hype. The Internet will not blow up if the US Federal Governement doesn't save us from the trojan.

Re:Hype

[gnick]

Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

Re:Hype

[sidthegeek]

This is Slashdot. No one here needs to worry about that kind of thing...

Re:Hype

[K.+S.+Kyosuke]

Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

If you think that about the Trojans, then obviously, computers are all Greek to you.

Meh

I really don't see the big deal, I mean I

Re:Meh

[camperdave]

I really don't see the big deal, I mean I

A part of me misses the days of the #*&^a No carrier.

Let it happen

[jdastrup]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Re:Let it happen

Why would we want infected computers to exist on the Internet anyway? The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

If they could be disconnected in stages, so centralized support outlets are not overwhelmed, that might be a more graceful letdown for the infected owners.

Re:Let it happen

[na1led]

It's a good test to see how secure your systems really are. If your PC's are infected, then it's time to recheck your security.

Re:Let it happen

[bigbangnet]

Probably because cash is involved. I guess if you cut those computers off the Internet it would cost more. That's probably the reason they wont cut them off.

Re:Let it happen

[vlm]

Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

Note I'm not completely tinfoil hat here. I'm not suggesting that the govt wrote the virus or infected the computers. I'm merely suggesting this MIGHT be something like the syphilis experiments done on minorities decades ago... leave them infected, watch carefully, see what happens... Obviously a packet sniffer on the incoming DNS traffic tells you how many there are, you can generate all kinds of interesting graphs and studies and reports... You also have at least one pretty strong data point on security update habits, because they were not updated when infected. I would imagine some interesting data is being generated that would be eliminated if the "experiment" were terminated early.

Re:Let it happen

[jdastrup]

How is much cash involved when someone home PC stops working? I can see if businesses are impacted, but I think their numbers about "half of Fortune 500 companies" is a bunch of bull - maybe they have a few that are infected, but nothing business crippling. I think it's more of the fear of the uninformed, as well as the USGov wants to pretend to be the Saviors of the Internet, which gets all sort of support in the future to regulate and tax the Internet. "If it wasn't for us, you wouldn't have an Internet. You need us. Now pay your taxes like a good citizen if you want the Internet to work"

Re:Let it happen

[jbov]

If the two items in bold below were not true, then they would shut down the DNS servers immediately.

FTFA:

Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

Gotta keep everything running for the good ol' boys.

Re:Let it happen

[X0563511]

Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

That would work if the alternative wasn't said government disconnecting them.

Re:Let it happen

[tiberus]

I can sort of see some merit (from a it's gonna cost me money perspective) to let companies and the government have a brief period, like a month not months, to do some clean up. There are a lot of factors to consider; e.g. it would be devastating to a company to suddenly lose 1/2 of their systems (I think we'd call that a disaster recovery scenario). Giving them an extension seems a bit silly though.

Re:Let it happen

I am behind this100%

Pull the plug and replace all the computers that stop working. All of these machines could have other security holes. Because the DNS is still working, many people may not know they were infected.

The only other thing I may suggest is to redirect all DNS queries to a page that says:

  The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

Re:Let it happen

[vlm]

Hooray for /. binary thinking.

You don't "leave it on forever"/"shut it down forever". You turn it off from 0900 to 0901 today. Then 0900 to 0902 tomorrow. Then 0900 to 0903 the next day. Worst case scenario this BS is over in a mere 1440 days or about 4 years. Some people might freak out and fix it the first day, some people might not notice for a couple months, but eventually they'll all deal with it in their own way.

Re:Let it happen

As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

Re:Let it happen

[Frank+T.+Lofaro+Jr.]

The US government has identified this computer as a security risk. We recommend that you rebuild this computer. You are seeing this message because we shutdown the group controlling your computer.

Most people wouldn't believe it. They'd call Microsoft and when they find it still exists, they'd say the message was a lie - since most people think Microsoft controls their computer and the Internet.

LOL.

Re:Let it happen

[Frank+T.+Lofaro+Jr.]

What if it's Air Traffic Control?

Lots of planes could crash in a minute.

Re:Let it happen

[AK+Marc]

http://en.wikipedia.org/wiki/Tuskegee_syphilis_experiment

And never, ever, look up diseases on Wikipedia. Too many good pictures of icky stuff.

Re:Let it happen

[K.+S.+Kyosuke]

If the two items in bold below were not true, then they would shut down the DNS servers immediately.

FTFA:

Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

Gotta keep everything running for the good ol' boys.

Sounds like a good reason to hack those DNS servers and remove the hacked computers from the network ourselves, doesn't it? Two birds with one stone...

Re:Let it happen

[izomiac]

If such critical systems are compromised then it's better for them to go down randomly for a short time for reasons easy to identify than to let them continue running and likely be shut down (or tampered with) maliciously at the worst possible time.

Re:Let it happen

[rossz]

How is much cash involved when someone home PC stops working? I can see if businesses are impacted, but I think their numbers about "half of Fortune 500 companies" is a bunch of bull - maybe they have a few that are infected, but nothing business crippling.

How much does it cost us to allow these infected computers to remain on the internet?

Booting them off the internet is a good idea, but doesn't fix the underlying problem. PEBKAC.

Re:Let it happen

[dissy]

Meh, they might as well just shut the DNS servers down fully.

The type of people who run their computers this way (always infected, never updated, no AV) are used to their computer to just up and stop working all the time.

They will simply go out and purchase a new one to replace the old 'broken' one, which will end up in the trash - and at the very least off the Internet.
Best case they give it away to their "computer guy" buddy, who will wipe it and have a free computer. It's a win-win!

Re:Let it happen

Why the hell would mission critical ATC computers be connected to the internet in the first place? So they can play Warcraft between take-offs and landings?

Re:Let it happen

[Capt.DrumkenBum]

It is good for the economy too. Lots of people running out to buy new computers. Or at least running out to their local computer shop to get things fixed.

Re:Let it happen

[Heretictus]

As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

I agree with this statement. I have been involved in this effort as well. There are two user demographics here: Business; and Consumer. In the consumer space, ISPs have been contacting their infected customers for two months now. I'm told customer remediation rates following notification are hovering around 15% across the Tier 1 and Tier 2 ISPs. So customers are notified, directed to a web portal containing additional information and links to the removal tool, and still only 15% are completing the task. If these customers wake up one day and they start getting 404 errors, they will flood the call centers costing the ISPs millions of dollars. I also agree that Fortune 500 companies should have had this cleaned two months ago. No excuses there...

Re:Let it happen

[rtb61]

In this case the solution is simple. Consider the trojaned computers as out of control devices to be used to aid criminal activities. Present the information to the court, with plenty of public notice and seek a warrant to digitally enter those computers, remove the offending software, conduct a minimal repair to lock out the trojan and leave a blatant on boot up notification of what has happened and what they need to do to prevent it happening again. Ensure the notification is easily removable.

Just like anything else left out of control, the police and entitled to enter and seek to deactivate the out of control entity. The same in this case. Don't shut down the computers fix them and notify the owners of the fix and provide a warning, "Next time it will be assumed that you are a knowing part of the bot-net and you and your infrastructure will be raided and you will be required to provide proof that you did not willingly participate in this activity or face a fine".

Re:Let it happen

"Science isn't about why, it's about why not. You ask: why is so much of our science dangerous? I say: why not marry safe science if you love it so much. In fact, why not invent a special safety door that won't hit you in the butt on the way out, because you are fired." -Cave Johnson

Re:Let it happen

[poena.dare]

Please, yes. These infected moroons are tomorrow's clients and damn I need the cash!

Re:Let it happen

[garyebickford]

The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

Yes, this is the Broken Window Fallacy.
To quote:

The parable, also known as the broken window fallacy or glazier's fallacy, demonstrates how opportunity costs, as well as the law of unintended consequences, affect economic activity in ways that are "unseen" or ignored.

Re:Let it happen

Pull the plug and replace computers? That'd be so ridiculously stupid. These viruses infect a PC by exploiting a particular piece of software the targets have in common. If a high volume of computers are being infected then there is definitely some widely used application (version) which is common among all of them. What makes it even more stupid is that you can just pop in a CD/DVD these days, reformat, and reinstall the OS with less technical skill than it requires to navigate facebook.

Re:Let it happen

sorry, the data isc has put out on this has been pretty transparent, and there actually are people being extradited...in your scenario, you have a lot of coverup and for very little gain, in the grand scheme of it.

besides, they use facebook, google, and can read your email already, why bother with 'leave them infected?' *class is looking at you like you just just woke yourself up by sleep talking.

oh, and 'tells you how many there are'...or use them as your personal botnet, pwn the machines, and hijack all the sessions you like, keylogger, the works...or you could count how many there are, sure...

Re:Let it happen

I happen to work at one of those US government agencies.

When one of our folks looked into it, they were people on our various guest networks. Not government computers, just computers on a network provided as a courtesy to visitors.

Re:Let it happen

A brief history of this incident: trojan was released that redirects a PC's DNS traffic to a malicious DNS. The US took down the malicious servers and, to be nice, put up a responsible DNS in its place. For the US to do that, they got a court order, which expires March 8.

The upcoming "planned disconnection" is really just letting the replacement DNS go offline and all the PC owners' network access break. I can imagine ways the US could abuse its status as a DNS middleman, but there's no suggestion of that abuse here.

Very odd details

[bigbangnet]

this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

btw, you can read this guide to check your dns.

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Re:Very odd details

[dyingtolive]

I notice there's no directions for those running Linux...

Re:Very odd details

I don't know why but I hope it's not possible to infect a linux machine with this dnschanger. I've been running linux on my pc for a couple of months now so i'm still a noob and all I can say is its pretty complicated, it's not simple. Some tasks are done in multiple steps manually so I guess those virus codes won't work in linux anyways. I also know that linux is built in a multi user environment. This means if your user is asking to change some system settings, you gotta have permission; no permission, you don't pass. Windows is built differently, very easy to use even under the hood and is not built in a security environment like linux is. Recent versions of Windows is getting there but as you all know, it's creating some hassle for users for good reasons unfortunately.

Re:Very odd details

[Zocalo]

They've been trying to get the word out. OK, that word has looked very much like a phish, but it has gone out. The issue has also been discussed in many of the kind of places where people in a position to do something about the problem hang out such as Ars, NANOG, Slashdot, and so on. At this point, if a PC has not been reconfigured then I'd say that the chances are that it won't be until it gets replaced or rebuilt, so there are three options:

1. Pull the plug, cutting off those who are infected. My preferred option since this will have the biggest LART effect, especially in the corporate and ISP environments where the impact (pun intended) is likely to be much greater.
2. Reconfigure the infected PC's DNS. Not a good option, IMHO, since there is a chance things may go wrong and if it does work then the users / IT departments remain ignorant about the infection - no lessons learnt at all.
3. Run the substitute DNS servers until such time as the impact is reduced to some arbitrary "acceptable" level, then do #1 or #2.

Re:Very odd details

[X0563511]

Kind of hard for a Linux machine to get infected with a Windows trojan. Even if it managed (through Wine) the trojan changes network settings - something totally incompatible between them (so the Wine API would fail, there).

I'm sure there ARE infections that could do the job, but they are not this one.

Re:Very odd details

[dyingtolive]

Well, it mentioned OS X instructions so I didn't know what to think. Upon looking at it a second time around, I see the instructions offhandedly mentions affecting SOHO Routers, so maybe that's why the Apple instructions are there, but if that's the case, I think my previous observation still stands.

Re:Very odd details

I'm all for pulling the plug. If the machines were just doing damage to the owner, who cares. However, infected botnet clients are a threat to everyone on the Net (DDoS, spamming, C&C, etc.) So, if the axe falls that cuts them off from the Internet, so much the better.

The car example would be the overloaded dump truck spraying gravel and smashing windshields on the highway.

Re:Very odd details

[vlm]

Option 4 which I guess outs me as a NANOG reader type of guy, is for an ISP or large corporation to BGP advertise the DNS servers specific netblocks as themselves (obviously route filter not to send to their upstreams or they'll get really pissed off) and run their own servers and then implement whatever they want whenever they want.

I don't do the windoze thing either at home or work, so I've been sorta ignoring this, but I think I read it was only 4 little /24s that need to get this treatment.

If you don't wanna run your own fake servers (well, technically they're just as real as the FBI ones...) then you just block those 4 /24s in your firewall, perhaps temporarily, and "see what happens". Email goes out "if your internet was down from 1030 to 1100 today, please open a ticket with IT" etc.

Or your organization simply packet sniffs all traffic to the rogue server addresses and you follow up as appropriate. Obviously you sniff on the inside of the firewall, not outside, duh. This assumes you organization documents any of that internal stuff in a useful manner.

Re:Very odd details

this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

Because maybe, just maybe, they're not always the bad guys? Yes, law enforcement has a poor record on civil liberties, privacy rights, and property rights. But that doesn't mean they're incapable of doing the least-disruptive thing. Owners of machines infected with this trojan are already victims of a crime, and it's to FBI's credit that it is working very hard not to add further harm to those victims. (e.g. the canonical case of a business-critical machine that, despite being infected, is still capable of implementing that business's needs, but, if shut off, would seriously impact that business. Yes, the business's IT staff is incompetent, but that's not a justifiable reason for the FBI to add actually injury to professional insult.)

Re:Very odd details

[AK+Marc]

And a technically incompetent "solution" that causes all people with any knowledge to question the motives. If they wanted to "get the word out" they could replace the DNS server with one of their own that only served an IP that was for a warning page for all queries. Everything the person tried to go to would be an 800 number for technical support and a description of the problem and reason they are getting that page. And yes, I get the irony of a government page interrupting browsing with a "you are infected, click here for a free scan" page.

Re:Very odd details

[eulernet]

Wow, it seems that I'm infected: I get a weird page for http://megaupload.com/ !

Re:Very odd details

[jesseck]

I'm not sure I understand your point... your Linux system can be infected in a similar manner- /etc/hosts functions the same as c:\windows\system32\drivers\etc\hosts. The DNSChanger Trojan targets Windows, though. Windows also asks permission before you perform administrative tasks, just like Linux- but many Windows users are already an Administrator, so they are not asked to log in again. It would be similar to you using "root" as your Linux login (no need to "su" to install). You can edit /etc/hosts with a text editor as root and redirect your system to these rogue DNS servers if you want.

Re:Very odd details

[Lehk228]

there are similarities, but on windows it's still common for software to fail if not running as administrator, OTOH linux is more likely to have problems with software failing to run if you are running as root

Re:Very odd details

[bejiitas_wrath]

There was a person that was infected with Linux Malware through Macromedia Flash. That is why I have disabled that firefox plugin.

https://www.youtube.com/watch?v=94QsgdXnsmU. Another reason why flash sucks. Sure HTML5 is proprietary, but Totem has a Youtube function and Smplayer can play Youtube videos as well apparently.

Re:Very odd details

I don't know what you mean since you pointed out the biggest concept of security between Windows and Linux. Most users in Windows will already use admin account. Theres more chance for a hacker to to succeed with a virus compared to Linux. In Linux, if you use su to gain admin priviledge, it works with one session thats all. Even this is secure because you need the root password to get access and that su is good for 1 session only. Good luck with that. There's also the point that in Linux, your not an idiot, this means that security even for the user is increase because of su and other security features. If your not the admin, you can't modify the host file and other important system settings. You need to be the admin to do that.

What OS are we talking about?

[hcs_$reboot]

Does the problem apply to Mac OS or Linux? Please be specific.

Re:What OS are we talking about?

[X0563511]

Lazy, aren't you? Google the Trojan name, and the very first result tells you.
Trojan:W32/DNSChanger

That's if the context didn't tell you... Hmm, a Trojan infecting millions of machines to the level of getting courts involved. You really expect that to be Mac or Linux?

Re:What OS are we talking about?

[similar_name]

Don't forget to Google OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C

Re:What OS are we talking about?

Does the problem apply to Mac OS or Linux? Please be specific.

*massive, almost painful eyeroll*

It only applies to PDP/10s being run through emulators on Amigas, smartass.

Re:What OS are we talking about?

[hcs_$reboot]

Well, maybe it was not that funny after all.

Re:What OS are we talking about?

Ohhhh shit !!!!

Consequences

[Gothmolly]

Another example of how the US government is trying to shield people from the consequences of their actions.

Re:Consequences

[c0lo]

Another example of how the US government is trying to shield people from the consequences of their actions.

Not only that, but... ;) I wonder just where the world is heading? How can a honest cybercriminal earn nowadays her/his living without fear of being extradited in US? ;)

Re:Consequences

[sorak]

Another example of how the US government is trying to shield people from the consequences of their actions.

Is it that, or is it the government trying to shield people from the consequences of other people's actions?

support calls

[vlm]

Maybe they're trying to eliminate terrified support calls "help help help some virus called DHCP is changing my dns servers just like the one I read about on the news help help help"

Why not use the dummy DNS servers?

[rwhamann]

Why not use the dummy DNS servers to redirect users still attached to them to an informational website that tells them how to unfuck themselves? Make it a clearly labelled site with a very simple, obviously .gov URL so people trust it? If my ISP can pop up a frame telling me I'm approaching the bandwidth cap, why can't the FBI?

Re:Why not use the dummy DNS servers?

[vlm]

90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.
9% of the idiotic masses are going to call a fox news call in program and explain how its an indonesian commie plot to eliminate christianity from america, or some NPR radio show and ramble on about weed legalization would have prevented this in the first place and its all Bushes fault anyway.
1% of the idiotic masses are going to call 911 and they are gonna be pissed off

I'm guessing anyone smart enough to fix their box probably already has, so all you're going to get is hyper-flakey responses.

Re:Why not use the dummy DNS servers?

[CanHasDIY]

Don't forget the .000001% who will flame the rest of society in online forums for not being as omniscient and infallible as they believe themselves to be.

Re:Why not use the dummy DNS servers?

1% of the idiotic masses are going to call 911 and they are gonna be pissed off

Or drunk.

Re:Why not use the dummy DNS servers?

[NoKaOi]

90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.

Vs. 99% who would call their ISP if they were suddenly unable to reach Google and Facebook? Seems like a redirect with instructions on what to do about it would generate fewer calls than disconnecting, and any ISP with even the tiniest bit of competence should update their Indian scripts so the Indians can tell the customers what to do.

Also, as far as your 90% goes, shouldn't you be happy if people are cautious and aware enough to be concerned that what they are reading might be a scam and not blindly click things?

Re:Why not use the dummy DNS servers?

[Lifyre]

It's not just some NPR radio show... I believe they call it "Talk of the Nation"...

Re:Why not use the dummy DNS servers?

[eyenot]

Wow, wtf, for real, why doesn't the U.S. *GOVERNMENT*, of all fucking people, places, or things, have a ready supply of information about how to fucking use your computer the real way?

I like your frame of mind. Until there's a page JUST like what you're describing, my opinion of U.S. government employees and officials as just being undereducated slackers who get elected largely because they felt like running for office and knew how to lie and/or look really pretty... now I'm going to see them (and mention to them that I see them) as people with Bill Gate's hardened cock wedged firmly into their asshole, pumping and thrusting for every dollar they get from constituents to support their re-election.

Forget computers, they're extraditing the perps!

[GreenTom]

To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US. This news made my day. I know this is slashdot, but malware is not going to be fought through any technical solution. Until this kind of activity carries personal risk, the bad guys are going to win.

Nice to actually feel good about my government, at least for a few minutes.

Shut 'em down

[Todd+Knarr]

Shut the surrogate control servers down. The main reason people don't take security seriously is there's never any real costs associated with not taking it seriously. Most of the users of the infected machines probably are thinking "Why should I worry about this? My machine's working just fine.". Well, when the control servers shut down and the infected machines can't access the network at all, the users won't be able to keep ignoring the problem. And maybe, just maybe, having to pay the price for complacency will make them not be quite so complacent in the future.

Re:Forget computers, they're extraditing the perps

Is extradition a requirement for justice to be served ?

Re:Forget computers, they're extraditing the perps

[NoKaOi]

To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US.

While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited simply because they disagree with the laws that were allegedly violating. It was the same excuse that it related to machines in the US. What makes the US so friggin' special for them to be extradited? Is what they did not illegal in Estonia? If not, then should they be prosecuted for actions they took while in a country where it wasn't illegal? If so, then why aren't they being prosecuted in Estonia, where they actually were when they did illegal stuff? If we're in one country doing business with another country over the Internet, or doing something on servers in another country, which country's laws should apply? Which country should get to prosecute?

Meanwhile...I still get a dozen 419 scam emails for every craigslist ad I post. While everyone reading this probably thinks that only an idiot would fall for them, there are clearly people who do. Just because somebody isn't computer literate doesn't make them an idiot, there are real people losing real money, and yet the scammers aren't prosecuted because they're "over there" even though they're scraping craigslist's US based servers, sending email to servers and people in the US, receiving money fraudulently through Western Union, a US based company, from the US.

What kind of precedent do we want? Can we at least be consistent?

Re:Forget computers, they're extraditing the perps

[CanHasDIY]

Sometimes.

Extradition

What the fuck, another extradition to the US. I wonder if the US would extradite its citizens to Estonia if the Estonian government asked for it.

Re:Extradition

If you hacked into an Estonian server, breaking their laws and ours, why wouldn't you be extradited at their request?

doesnt make sense

[letherial]

FTA linked

"The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down"

The quickest way to indemnify them is to have them removed from the internet.

computer user: "hey why is this computer not connecting to the internet"
another computer user: "dont know, guess we better get someone that knows something"
someone that knows something: "so this is why...and this what you did and this is how we are going to fix it"
computer user "yay im on the internet"

seems a little more simple then the governments solution...

Re:doesnt make sense

[billcopc]

It seems you've missed the part where they mention infected Fortune 500 and government machines. If all the infectees were average joes like you and I, they would eagerly pull the plug. But big business and their sock-puppet the "government" are special, they must be protected from the shame of having their noses rubbed in their own steaming shit. They can never be called on their mistakes, because you don't want to piss off all those twitchy lobbyists and their dirty money.

Re:doesnt make sense

[jonwil]

I suspect the reason for the delay request is that some of the computers that remain infected are computers that are important, i.e. if those computers stopped working or stopped being able to connect to the internet, companies would loose money or worse.

Better Call Saul

[sesshomaru]

"Not some mystery benefactor, singular. That would raise too many questions. However... stay with me here... Zombies. I got a guy who knows this guy who knows this Rain Man-type. He lives with his mother in her basement in Belarus. So good luck extraditing his fat Russian ass. Wait. He's a hacker-cracker extraordinaire. This guy can hijack random desktops all around the world, turn 'em into zombies that do his bidding. For instance, he can make it so, 20 or 30,000 little donations come in from all over the U.S. and Canada. 10, 20, 50 bucks a pop, all paid in-full, nice and neat, untraceable, from the good-hearted people of the world to Mr. Walter H. White, Cancer Saint." -- Saul Goodman, Breaking Bad, Phoenix.

Re:Forget computers, they're extraditing the perps

[couchslug]

"Why should they be extradited to the US?"

Because they damaged US computer systems on US soil.

Re:Forget computers, they're extraditing the perps

While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited simply because they disagree with the laws that were allegedly violating. It was the same excuse that it related to machines in the US. What makes the US so friggin' special for them to be extradited? Is what they did not illegal in Estonia? If not, then should they be prosecuted for actions they took while in a country where it wasn't illegal? If so, then why aren't they being prosecuted in Estonia, where they actually were when they did illegal stuff? If we're in one country doing business with another country over the Internet, or doing something on servers in another country, which country's laws should apply? Which country should get to prosecute?

Why so many questions? In theory these people violated laws in both counties and will be punished in both countries. Why shouldn't they? Some of this is in the treaty with Estonia, especially article 2. 419 scammers are prosecuted when caught. What makes you think they aren't?

There should be no impact

[DarkOx]

The only users who should be affected are home home users, and its not going harm the economy any if John and Sally can't get to Facebook until they pay their local Nerd Herd agent $60 to fix their PC. Hell it might help the economy because its going to spur some activity, and result in those machines getting cleaned and patched which will in turn prevent future frauds and botnets.

As to the F500's, and even the smaller down to a hindered or so head count shops. This should be a non issue. First they probably have cleaned things up by now. They probably do have the tools to find and fix compromised systems if someone would just get off their rear ends.

Second if they don't know where the infected boxes are and don't have the minimal logging it would take to find them etc, they do have a firewall which can do NAT. Lets face it if you can't tell if your systems have correct DNS settings you are not running DNSSEC or anything that would cause an issue. A line or two on your firewall device could get added to simply DNAT and thing destine to a DNS port to a trusted server. Oh larger shops might have to add an additional line or two to exempt a system like their own NS server but even so its about 20 min worth of work on a Sunday night for one person, and few staples in the Change control docs Monday morning.

Frankly if your letting DNS out to the big bad internet from your client PCs, you really need to replace the people in your IT Security and Infrastructure groups anyway; they don't know what they are doing.

Why do we have to do anything?

[WillgasM]

From what I've read this doesn't sound any more stealthy or tenacious than any other modern trojans. If you're running up-to-date AV like you should, then you should already know you have an infected computer (and be doing something about it). I don't see why anything out of the ordinary needs to be done. Just shut down the rogue servers. If people didn't know they had a problem before, they will then. How would this be any different from a virus that simply disables your internet connection? I see complaints about the cost to ISPs and tech support that will wind up fielding calls from the clueless plebs, but why would this be handled any different from all the other calls they receive? I realize it means you'll have a busy work week, but such is the price of business.

Re:Why do we have to do anything?

[Skapare]

Serving valid DNS data to allow access to sites like virus checkers/removers, and the OS providers (I have a very good idea which one that is), makes it easier for home and small business users to get their computers cleaned up. However, they SHOULD make OTHER sites just go to a page that tells them their computer is infected with a virus that interferes with the computer's ability to locate web sites on the internet. It will be a LONG time getting them all cleaned up otherwise.

Re:Forget computers, they're extraditing the perps

[philip.paradis]

The individuals in question allegedly damaged networks located on United States soil, and we happen to have an extradition treaty in place with Estonia. Wikipedia lists the following references to US/EST treaties:

• 43 Stat. 1849; TS 703; 7 Bevans 602; 43 LNTS 277
• 49 Stat. 3190; TS 888; 7 Bevans 645; 159 LNTS 149

Some nations do not have extradition treaties with certain other nations, but this generally makes it rather more difficult for them to get their hands on accused criminals operating from and/or fleeing to "unfriendly" jurisdictions. Thus, such treaties are quite popular, and are generally mutual in nature between various nations and regional blocks.

extradition?

isn't a bit silly to extradite people who commited a crime in another country to be charged for crimes here? i mean, c'mon now. it it will be done, i'd have to argue an all or nothing approach to this. (i.e. all violators of u.s. law in a foreign nation or none). also, if it comes to picking and choosing, slippery slopes are slippery.

Re:Forget computers, they're extraditing the perps

[billcopc]

*dons crazy hat*

If the U.S. wants extradition rights abroad, effectively granting them temporary dominion over foreign citizens, perhaps the very concept of country boundaries should be deemed obsolete. I want a unitary world government, not this so-called New World Order founded on lies, violence and greed.

Further down the Star Trek fantasy, if we didn't have global financial abuses, heck - finances at all - there would be no incentive for black hats to hijack computers and defraud total strangers and this whole fiasco would never have happened in the first place.

Adding more layers of bullshit to a flawed system does not fix it. Dismantling the system will.

What should be done, instead ...

[Skapare]

... is track down the owners of these computers and charge them ALL with the misdemeanor aiding and abetting cybercrimes. Let's put the blame where it belongs ... on dumb people who allow their computers to be infected. In this case, since there was no damage by these owners to others, it can be a misdemeanor. But if it did involve damage to others, then it should be a felony charge.

Re:What should be done, instead ...

You probably don't run windows so you don't know what you are talking about, therefore a whining little bitch.

It is almost impossible to harden a windows computer these days. If you want to employ your nazi tactics go after the software vendors who poop this bug ridden crap on us, not the user, you imbecile.

Re:What should be done, instead ...

[Skapare]

Maybe little brats like you should read what was written. I said nothing whatsoever about expecting these dumb people to harden their computers. Of course it is almost impossible. I do in fact know that. And that is exactly why I stated what I did. And that is the lesson these dumb people need to learn. They need to learn that their choice of getting a computer that the vendor has not already hardened is what is causing problems not only for them, but also for everyone else. If the buyer side of the market wanted a hardened computer, the seller side of the market would provide one. We need to be putting intense pressure on the buyer side of the market to do no less. Then vendors like Microsoft would find their market share seriously declining unless they respond to the market demands that need to be happening.

.

It is NOT my role to go after Microsoft. It is not Microsoft that has directly caused me harm. It is the people that choose (way too often just by default) to use weakly coded crapware Microsoft makes that are the problem. These people need to be able to choose between taking the issue up with Microsoft and to their chairman or their chair man and demanding things be fixed ... or got to get another OS.

Re:Forget computers, they're extraditing the perps

"Why should they be extradited to the US?"

Because they damaged US computer systems on US soil.

They didn't infect the computers. The computers' users infected them.

Gov machines too

[flyingfsck]

They cannot stop the servers, because then half of government machines will stop working too...

Re:Forget computers, they're extraditing the perps

[CRC'99]

Because they damaged US computer systems on US soil.

Awesome. Does that mean other countries can extradite US politicians and business men for screwing over companies and in some cases entire countries?

Oh right, what was I thinking... :\

Re:Forget computers, they're extraditing the perps

While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited because they disagree with the laws that were allegedly violating.

ftfy. It *is* valid to get outraged when someone is extradited over a law I disagree with. =whoosh=

What the ... ?

[X.25]

The really scary news is the fact these guys are getting extradited.

It's not that they don't deserve great eternal suffering, it's just that this is getting out of control.

Genuine question - when was the last time US has extradited its own citizen?

Would US extradite a person who killed 24 civilians? If not, why (besides blackmails/threats from US govt) are people supposed to extradite people to the US? Will we have US requesting extradition for someone talking bad about their president (sorry - CEO), in 5 years time?

People don't realize what's coming, I am afraid :(

Native Estonia?

The leader of the suspects, Vladimir Tatin, may be a resident of Estonia, but he certainly is not Estonian.
The US Government has preasured Estonia to not extradite non-nationals and to give them residency. Vladimir Tatin is previously sentenced for fraud and has served jail time for that crime.
Noeworthy are also the attacks that Russia has launched against Estonian public institutions, where they have received help from russians living within the Estonian borders, which has been made possible thanks to the same US Government preasures.

Insightful???

Let's try "Because their attack directly affects systems owned and operated by our Fortune 500 and USG Overlords."

unreachable nameserver = internet disconnection?

Complete BS! Please learn the basics of TCP/IP!

Easy to fix for a competent network admin

The link you noted gives one the answer to do it, & as easily as a login script (.cmd file etc.) with .reg file merges to undo those incorrect redirect settings for DNS requests, back to "normal" for those folks' network.

Additionally/After that?

Then, by using registry ACL policies @ Active Directory levels network wide (pretty much just like filesystem ones for NTFS)?

Then, you can assign access to that registry hive key to ONLY the local SYSTEM logon entity and perhaps yourself as a domain level admin (as far as alteration rights on this part) & users only being 'read only' (UAC will do the rest).

APK

P.S.=> It's just an idea, but one that would probably "nullify" this malware (along with removing ANY & ALL traces of its working parts in executables etc./et al, also, of course)... Personally, I am surprised this hasn't BEEN done already, actually, in regards to this particular infestation...

... apk

Re:Forget computers, they're extraditing the perps

[cdrguru]

Is what they did not illegal in Estonia?

No, it probably is not illegal. Let's see, what country has the most Windows machines? Probably the US is #1 there. So anything that negatively affects Windows machines will have a predominately bad effect on US computer users.

I wouldn't be surprised if there is a specific (unwritten) law in Estonia that says "If you screw with Americans, hat's off to ya." There certainly is such a law in Romainia and Bulgaria.

It may also be the case that in Estonia anything that is done "online" gets a free pass because it did not happen in the physical world. If you steal from someone "online" it is very difficult for them to pick you out of a lineup. Similarly, if you haven't left the country and the victim never came to Estonia, then how could you possibly have stolen anything from them? Next case!

Many countries do not have laws dealing with Internet crimes in any way whatsoever and their legal system considers the whole idea of "virtual" crime to be nonsense. If you stick a gun in someone's face and demand their wallet, yes, that is illegal. If you get their bank account information and transfer yourself everything they have, well, that's different - they gave you that information, didn't they? Oh, they thought they were giving it to someone else... too complicated and sounds "virtual" anyway. Next case!

Unfortunately, the threshold for international enforcement is very, very high. Way too high for 419 scammers to get prosecuted. As far as Western Union is concerned, everyone should know by now that only criminals use Western Union for anything at all. If you aren't a criminal, there are other ways of sending money around that do not involve Western Union in any way. Western Union has consistently refused to do anything that would prevent criminal use of their money laundering ... er, I mean money transferring ... and the result is every single time I see anything about Western Union is it for criminal enterprises. This by itself should doom Western Union but there seems to be enough folks thinking they are going to get paid for transferring money around that they can keep going.

Re:Forget computers, they're extraditing the perps

[mcgrew]

Adding more layers of bullshit to a flawed system does not fix it. Dismantling the system will.

Before you tear your house down you'd better build a new one, or you'll get wet and cold. You have a system in mind that's better than the present one that doesn't involve matter replicators?

Re:Forget computers, they're extraditing the perps

[kiwix]

So after they do their time in the US they're going to be judged in each country where a machine was infected? That's fucking scary!

And if I have a website explaining people how to use TOR, and it turns out that explaining this is illegal in China or in North Korea, will I be extradited to those countries?

Why not

Organize a worldwide format day. That should solve the problem.

Re:Forget computers, they're extraditing the perps

[billcopc]

My house is fine as it is. It's my neighbor who's a total dick.

Re:unreachable nameserver = internet disconnection

[wiedzmin]

It's true for users who don't realize their freaking DNS servers have been changed... Facebook doesn't open = no internet. What I don't understand is why they don't setup a captive portal that opens a message for them saying they are infected whenever they try to go to any website, instead of just shutting the servers down. And while we're on the subject - is it being delayed or not!?