Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disconnection of Millions of DNSChanger-Infected PCs Delayed

Posted by samzenpus on from the not-just-yet dept.

tsu doh nimh writes "Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet early next month if a New York court approves a new request by the U.S. government. Meanwhile, six men accused of managing and profiting from the huge collection of hacked PCs are expected to soon be extradited from their native Estonia to face charges in the United States."

33 of 105 comments (clear)

  1. Meh by Anonymous Coward · · Score: 2, Funny

    I really don't see the big deal, I mean I

  2. Let it happen by jdastrup · · Score: 5, Interesting

    Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

    1. Re:Let it happen by Anonymous Coward · · Score: 4, Insightful

      Why would we want infected computers to exist on the Internet anyway? The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

      If they could be disconnected in stages, so centralized support outlets are not overwhelmed, that might be a more graceful letdown for the infected owners.

    2. Re:Let it happen by na1led · · Score: 4, Insightful

      It's a good test to see how secure your systems really are. If your PC's are infected, then it's time to recheck your security.

      --
      -- By all means let's be open-minded, but not so open-minded that our brains drop out.
    3. Re:Let it happen by vlm · · Score: 4, Interesting

      Allowing the infected computers to fail is probably best. They'll stop working, then get replaced or cleaned up. How is that bad?

      Maybe the US govt doesn't want them to be cleaned up because the us govt is involved in them, somehow.

      Note I'm not completely tinfoil hat here. I'm not suggesting that the govt wrote the virus or infected the computers. I'm merely suggesting this MIGHT be something like the syphilis experiments done on minorities decades ago... leave them infected, watch carefully, see what happens... Obviously a packet sniffer on the incoming DNS traffic tells you how many there are, you can generate all kinds of interesting graphs and studies and reports... You also have at least one pretty strong data point on security update habits, because they were not updated when infected. I would imagine some interesting data is being generated that would be eliminated if the "experiment" were terminated early.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:Let it happen by jbov · · Score: 3, Informative

      If the two items in bold below were not true, then they would shut down the DNS servers immediately.

      FTFA:

      Earlier this month [...] The company said more than 3 million systems worldwide — 500,000 in the United States — remain infected with the Trojan, and that at least one instance of the Trojan was still running on computers at 50 percent of Fortune 500 firms and half of all U.S. government agencies.

      Gotta keep everything running for the good ol' boys.

    5. Re:Let it happen by tiberus · · Score: 2

      I can sort of see some merit (from a it's gonna cost me money perspective) to let companies and the government have a brief period, like a month not months, to do some clean up. There are a lot of factors to consider; e.g. it would be devastating to a company to suddenly lose 1/2 of their systems (I think we'd call that a disaster recovery scenario). Giving them an extension seems a bit silly though.

    6. Re:Let it happen by Anonymous Coward · · Score: 2, Interesting

      As someone working for an ISP who has been tring to get these people to clean their PCs, if 500,000 are cut off from the Internet, that is 500,000 calls to their ISP to "fix" it. Thats somewhere between $1,000,000 - $1,500,000 in support calls.

    7. Re:Let it happen by AK+Marc · · Score: 3, Informative

      http://en.wikipedia.org/wiki/Tuskegee_syphilis_experiment

      And never, ever, look up diseases on Wikipedia. Too many good pictures of icky stuff.

      --
      Learn to love Alaska
    8. Re:Let it happen by izomiac · · Score: 2

      If such critical systems are compromised then it's better for them to go down randomly for a short time for reasons easy to identify than to let them continue running and likely be shut down (or tampered with) maliciously at the worst possible time.

    9. Re:Let it happen by rtb61 · · Score: 3, Interesting

      In this case the solution is simple. Consider the trojaned computers as out of control devices to be used to aid criminal activities. Present the information to the court, with plenty of public notice and seek a warrant to digitally enter those computers, remove the offending software, conduct a minimal repair to lock out the trojan and leave a blatant on boot up notification of what has happened and what they need to do to prevent it happening again. Ensure the notification is easily removable.

      Just like anything else left out of control, the police and entitled to enter and seek to deactivate the out of control entity. The same in this case. Don't shut down the computers fix them and notify the owners of the fix and provide a warning, "Next time it will be assumed that you are a knowing part of the bot-net and you and your infrastructure will be raided and you will be required to provide proof that you did not willingly participate in this activity or face a fine".

      --
      Chaos - everything, everywhere, everywhen
    10. Re:Let it happen by Anonymous Coward · · Score: 2, Funny

      "Science isn't about why, it's about why not. You ask: why is so much of our science dangerous? I say: why not marry safe science if you love it so much. In fact, why not invent a special safety door that won't hit you in the butt on the way out, because you are fired." -Cave Johnson

    11. Re:Let it happen by garyebickford · · Score: 3, Informative

      The excuse that they create jobs, in cleaning them up, is not a strong one, since by that same logic you could also make work by smashing them.

      Yes, this is the Broken Window Fallacy.
      To quote:

      The parable, also known as the broken window fallacy or glazier's fallacy, demonstrates how opportunity costs, as well as the law of unintended consequences, affect economic activity in ways that are "unseen" or ignored.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  3. Very odd details by bigbangnet · · Score: 3, Interesting
    this is a very odd story. Why would the FBI request to change DNS for millions of PC's when all they have to do is switch the DNS server off. But no, they decided to get a court order allowing them to replace the rogue DNS servers with legitimate stand-ins so that all the infected computers wouldn't get cut off without warning, giving them time to get the word out.

    btw, you can read this guide to check your dns.

    http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

    1. Re:Very odd details by Zocalo · · Score: 2
      They've been trying to get the word out. OK, that word has looked very much like a phish, but it has gone out. The issue has also been discussed in many of the kind of places where people in a position to do something about the problem hang out such as Ars, NANOG, Slashdot, and so on. At this point, if a PC has not been reconfigured then I'd say that the chances are that it won't be until it gets replaced or rebuilt, so there are three options:
      1. Pull the plug, cutting off those who are infected. My preferred option since this will have the biggest LART effect, especially in the corporate and ISP environments where the impact (pun intended) is likely to be much greater.
      2. Reconfigure the infected PC's DNS. Not a good option, IMHO, since there is a chance things may go wrong and if it does work then the users / IT departments remain ignorant about the infection - no lessons learnt at all.
      3. Run the substitute DNS servers until such time as the impact is reduced to some arbitrary "acceptable" level, then do #1 or #2.
      --
      UNIX? They're not even circumcised! Savages!
    2. Re:Very odd details by X0563511 · · Score: 2

      Kind of hard for a Linux machine to get infected with a Windows trojan. Even if it managed (through Wine) the trojan changes network settings - something totally incompatible between them (so the Wine API would fail, there).

      I'm sure there ARE infections that could do the job, but they are not this one.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    3. Re:Very odd details by vlm · · Score: 2

      Option 4 which I guess outs me as a NANOG reader type of guy, is for an ISP or large corporation to BGP advertise the DNS servers specific netblocks as themselves (obviously route filter not to send to their upstreams or they'll get really pissed off) and run their own servers and then implement whatever they want whenever they want.

      I don't do the windoze thing either at home or work, so I've been sorta ignoring this, but I think I read it was only 4 little /24s that need to get this treatment.

      If you don't wanna run your own fake servers (well, technically they're just as real as the FBI ones...) then you just block those 4 /24s in your firewall, perhaps temporarily, and "see what happens". Email goes out "if your internet was down from 1030 to 1100 today, please open a ticket with IT" etc.

      Or your organization simply packet sniffs all traffic to the rogue server addresses and you follow up as appropriate. Obviously you sniff on the inside of the firewall, not outside, duh. This assumes you organization documents any of that internal stuff in a useful manner.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:Very odd details by eulernet · · Score: 3, Funny

      Wow, it seems that I'm infected: I get a weird page for http://megaupload.com/ !

  4. Re:Hype by gnick · · Score: 5, Funny

    Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

    --
    He's getting rather old, but he's a good mouse.
  5. Consequences by Gothmolly · · Score: 2

    Another example of how the US government is trying to shield people from the consequences of their actions.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Consequences by c0lo · · Score: 2

      Another example of how the US government is trying to shield people from the consequences of their actions.

      Not only that, but... ;) I wonder just where the world is heading? How can a honest cybercriminal earn nowadays her/his living without fear of being extradited in US? ;)

      --
      Questions raise, answers kill. Raise questions to stay alive.
  6. Re:What OS are we talking about? by X0563511 · · Score: 4, Informative

    Lazy, aren't you? Google the Trojan name, and the very first result tells you.
    Trojan:W32/DNSChanger

    That's if the context didn't tell you... Hmm, a Trojan infecting millions of machines to the level of getting courts involved. You really expect that to be Mac or Linux?

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. Why not use the dummy DNS servers? by rwhamann · · Score: 3, Interesting

    Why not use the dummy DNS servers to redirect users still attached to them to an informational website that tells them how to unfuck themselves? Make it a clearly labelled site with a very simple, obviously .gov URL so people trust it? If my ISP can pop up a frame telling me I'm approaching the bandwidth cap, why can't the FBI?

    --
    seg fault
    1. Re:Why not use the dummy DNS servers? by vlm · · Score: 2

      90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.
      9% of the idiotic masses are going to call a fox news call in program and explain how its an indonesian commie plot to eliminate christianity from america, or some NPR radio show and ramble on about weed legalization would have prevented this in the first place and its all Bushes fault anyway.
      1% of the idiotic masses are going to call 911 and they are gonna be pissed off

      I'm guessing anyone smart enough to fix their box probably already has, so all you're going to get is hyper-flakey responses.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:Why not use the dummy DNS servers? by CanHasDIY · · Score: 3, Insightful

      Don't forget the .000001% who will flame the rest of society in online forums for not being as omniscient and infallible as they believe themselves to be.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    3. Re:Why not use the dummy DNS servers? by NoKaOi · · Score: 2

      90% of the idiotic masses are going to call their ISP and scream at some poor script reader in India who probably knows nothing about this.

      Vs. 99% who would call their ISP if they were suddenly unable to reach Google and Facebook? Seems like a redirect with instructions on what to do about it would generate fewer calls than disconnecting, and any ISP with even the tiniest bit of competence should update their Indian scripts so the Indians can tell the customers what to do.

      Also, as far as your 90% goes, shouldn't you be happy if people are cautious and aware enough to be concerned that what they are reading might be a scam and not blindly click things?

  8. Re:Hype by sidthegeek · · Score: 5, Funny

    This is Slashdot. No one here needs to worry about that kind of thing...

  9. Re:What OS are we talking about? by similar_name · · Score: 2

    Don't forget to Google OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C

  10. Re:Forget computers, they're extraditing the perps by NoKaOi · · Score: 5, Insightful

    To me, the real story is that the people behind this botnet are getting extradited and, (knock wood), will do jail time in the US.

    While I would be happy for the creators to rot in prison, this is also scary. Why should they be extradited to the US? /. commenters get outraged at mention of the megaupload folks being extradited simply because they disagree with the laws that were allegedly violating. It was the same excuse that it related to machines in the US. What makes the US so friggin' special for them to be extradited? Is what they did not illegal in Estonia? If not, then should they be prosecuted for actions they took while in a country where it wasn't illegal? If so, then why aren't they being prosecuted in Estonia, where they actually were when they did illegal stuff? If we're in one country doing business with another country over the Internet, or doing something on servers in another country, which country's laws should apply? Which country should get to prosecute?

    Meanwhile...I still get a dozen 419 scam emails for every craigslist ad I post. While everyone reading this probably thinks that only an idiot would fall for them, there are clearly people who do. Just because somebody isn't computer literate doesn't make them an idiot, there are real people losing real money, and yet the scammers aren't prosecuted because they're "over there" even though they're scraping craigslist's US based servers, sending email to servers and people in the US, receiving money fraudulently through Western Union, a US based company, from the US.

    What kind of precedent do we want? Can we at least be consistent?

  11. Re:Hype by K.+S.+Kyosuke · · Score: 3, Funny

    Save us from the Trojan? I thought using a Trojan helped prevent the spread of viruses...

    If you think that about the Trojans, then obviously, computers are all Greek to you.

    --
    Ezekiel 23:20
  12. Re:Forget computers, they're extraditing the perps by couchslug · · Score: 2, Insightful

    "Why should they be extradited to the US?"

    Because they damaged US computer systems on US soil.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  13. Re:Forget computers, they're extraditing the perps by philip.paradis · · Score: 2

    The individuals in question allegedly damaged networks located on United States soil, and we happen to have an extradition treaty in place with Estonia. Wikipedia lists the following references to US/EST treaties:

    • 43 Stat. 1849; TS 703; 7 Bevans 602; 43 LNTS 277
    • 49 Stat. 3190; TS 888; 7 Bevans 645; 159 LNTS 149

    Some nations do not have extradition treaties with certain other nations, but this generally makes it rather more difficult for them to get their hands on accused criminals operating from and/or fleeing to "unfriendly" jurisdictions. Thus, such treaties are quite popular, and are generally mutual in nature between various nations and regional blocks.

    --
    Write failed: Broken pipe
  14. Re:Forget computers, they're extraditing the perps by billcopc · · Score: 2

    *dons crazy hat*

    If the U.S. wants extradition rights abroad, effectively granting them temporary dominion over foreign citizens, perhaps the very concept of country boundaries should be deemed obsolete. I want a unitary world government, not this so-called New World Order founded on lies, violence and greed.

    Further down the Star Trek fantasy, if we didn't have global financial abuses, heck - finances at all - there would be no incentive for black hats to hijack computers and defraud total strangers and this whole fiasco would never have happened in the first place.

    Adding more layers of bullshit to a flawed system does not fix it. Dismantling the system will.

    --
    -Billco, Fnarg.com