Slashdot Mirror
FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?
nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
By seeing some of the stuff I read on news comment boards etc, the internet should be culled
If there was only some way to do it more selectively
those machines are primarily used to connect to Facebook... so allow me to say:
and nothing of value was lost
They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?
Well then, why didn't they redirect every single victim to a "CIA! you're infected. fuckin clean up your PC" page for at least 4 weeks?
Use the dns server to redirect any url to one page informing the user on how to remove the infection/get help?
Instead of having their internet connection just stop working, they will run to their isp's who did nothing wrong ...
They should be redirected for all their query to a page telling them they are infected and they will be cut off...
I know that lying on DNS is bad but I think the best thing to do here would be to send all the victims to a website telling them how to fix their machines.
It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.
Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected and how to clean it.
They have to click again in order to get through. Set the TTL of the DNS caching to nil so it happens practically every link - simply bombard them through annoyance?
Oh, and sure it'll break stuff like e-mail and all sorts of other non-HTTP protocols, which is good because they'll hopefully call tech support or something.
Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz
-Thorne
When citizens start learning that they can't expect the DNS system to just allow them to continue to be a part of a BOT because they don't care because they are thrown off the Internet, the sooner they will learn to take responsibility for their own equipment one way or another.
If they have been helped through fixing their computer and they haven't bothered? F&^% them. Their loss.
There is only so much F&^%s you can give before you say "enough is enough".
About Time.... Then the people will know they have a problem.. right now, they think everything is fine.
I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?
Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.
The FBI didn't change any settings. The malware did that, it alters the infected computer's DNS settings to use a set of servers run by the malware authors. What the FBI did was take over those servers and replace the malicious software running on them with software that does normal DNS so infected computers were no longer being redirected to the malware author's sites. And now the FBI's looking at shutting down the servers entirely, which would leave the infected computers with no DNS servers at all.
They didn't. The DNSChanger trogan, as the name implies, changed the DNS server configuration. The FBI was able to sieze control of those IP addresses and set up their own DNS servers there to mitigate the damage.
If you run a botnet, better check any of your zombies for this and fix them quickly. Otherwise they might get attention from a PC tech who'll remove your code as well.
(Isn't this the likely result from delays?)
It doesn't hurt to be nice.
The DNSChanger malware can change DHCP server settings on some routers. If your home router has been tampered with, it may continue to provide rogue DNS settings even after your PC has been cleaned or reinstalled.
For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.
Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.
Pull the plug and go catch some crooks.
-- Slashdot: When Public Access TV Says "No"
The "rightful owners" were the malware authors who were infecting PCs and running the botnet. The FBI got the authority when they charged those authors and got a warrant to seize the servers.
My guess is all the corporate phbs bigwigs who love to still use XP/IE 6 with no updates because it is cheaper to have IT just put out fires to help boast the share price are the ones in for a surprise.
With Symantec endpoint I am sure it would be detected ... yeah right
http://saveie6.com/
Seems that a clear posting that describes how to fix the problem would be the most useful to the most people.
craigslist. I can't wait. You know half of those folks will just go out and buy a new computer, because this whole "virus thing" is too confusing.
You have to take personal responsibility for certain things, like driving a car. The government can't babysit you all the time. Your PC is another example.
that's all
If these machines are attempting infect others, sending spam, and doing all the other malicious botnet type activity they no doubt are being used for, or could be used for then cut them off.
Leaving them working, but infected because the user is too ignorant to fix the problem (which has been present for well over a year now) is a liability.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It really does matter for the underserved internet community who rely on affordable and sometimes outdated DSL modems for their access to the internet in rural areas. Many of these DSL modems have been infected by a scary variant of the DNSChanger Zlob trojan that actually changes the DSL modem's DNS settings and changes the DSL modem's password to an unguessable value. The most detrimental effect of this infection is a virtually irreversible firmware change in an unknown but probably high number of DSL modems worldwide which are permanently affixed to the rogue DNS servers, now siezed and run by the FBI as clean, boring caching DNS servers. They will be shut down July 9 because the FBI doesn't want to be an ISP, which has the effect of cutting off an unknown number of people from the internet.
It's not a small problem. It's a big problem. The cost of help desk calls alone will be devastating to the disadvantaged and underserved internet community, i.e., rural America, who may be using the affected DSL modems infected by this Zlob trojan variant.
The most important note you must realize about this problem is that DNSChanger actually changed the DNS servers on the DSL modem. Just in case you don't realize this: the DSL modem provides the DNS server info to the computer in the home. While the computer may no longer be infected, the DSL modem is configured to use the DNSChanger rogue DNS servers which the FBI siezed and will shut down on July 9.
It's a really big deal and we should treat it like that.
You can check more out here: http://www.dns-ok.us/
Kriston
Don't cut them off - do like the hotels do and take them to a splash screen asking for their credit card numbers so they can pay if they want to continue to use the internet on a service that is costing money to run and which they can't connect to normally because of their own wilful ignorance on security.
Rather than people infected with shit knowing there is a problem and getting help before they get even more owned the FBI activly acted to cover up the problem by continuing to run the DNS service leaving users to remain clueless.
God knows I hate lawsuits yet on some level it would be awesome if someone filed one against the FBI anyway even if it had no chance of succeeding. It just might make them think twice before they decide to repeat this stunt.
Those people are just not capable of adminstering a computer device. They should simply be provided with a remote-managed OS so they can't accidentally help those spammers again!
Uh, and *don't* ask, just do it! They wont notice any difference in xbox / windows 98 / windows 3.11 anyway, just make the gnome desktop flickering colored ;)
You mean ... like iOS devices?
I'm not seeing how this is devastating to rural America. This generates a service call. The ISP either gets an up-sell opportunity or they bill for the fix. The rural person making the call either gets a free fix or the pay $50 for service. The whole thing works about to (using the 4m number) at most 4mx$50 = $200m in costs. That's about a 1/2% of annual cable revenues in the US. Where is the devastation?
"changes the DSL modem's password to an unguessable value. "
This might not be as catastrophic as it seems. Many modems and routers have a reset button on them where you can return all values to the factory settings. You might lose all your user defined (or malware defined) settings but couldn't you rebuild the legitimate user defined settings? As a matter of fact, if my router became infected by malware, a reset would be the first thing I did because I couldn't trust any settings on the modem.
One of the reports we were given has stated that the DSL modem variant of the DNSChanger Zlob trojan actually updates the firmware and it will effectively brick the modem when the FBI shuts its servers down.
Kriston
They won't bill for the fix and they won't try to up-sell. The real worry is the fact that modems will need to be replaced. I didn't make it clear in my original post that the DSL modem variant of the DNSChanger Zlob trojan really does brick the DSL modem once the FBI shuts the servers off. That costs a lot of money in labor and equipment.
Perhaps I also wasn't clear that these people don't have a lot of money to begin with.
Kriston
1. Yes they should shut it down.
2. The should have a stockpile of dunce caps ready to mail to people who, despite having had months of warning, never bothered to even check if they were infected. There have been a myriad of public warnings about this, and instructions/tools on how to check. I am a reasonably advanced tech person, and even I checked my machines because I am not so proud as to believe I am flawless.
3. For everyone talking about web sites... This is not just web sites. Everything you do on the internet requires DNS. *EVERYTHING*. No Web. No email. No instant messenger. No nothing. If an application does anything more than access your local hard drive, it won't work. That will be a monumental flag that something is wrong. If you have more than one pc in the house (or even better, a non-pc device) and it works and your pc doesn't, then that isn't just a smoking gun for the infection, it's a big flashing neon sign with a loud box underneath going AWOOGA AWOOGA. Even if you are not technically inclined, that should be enough for you to scratch your head and go, "Gee, maybe I should ask my geeksquad/coworker/5 year old child about this".
Yeah! I have the same problem with the DEA! I mean, sure, they can arrest people for possession of drugs, but what gave them the authority to just _keep_ my drugs?
Wait, I forgot, I'm not an idiot who doesn't understand that, yes, the government will seize property that is actually part of a crime.
(As for the 'outside the US thing'...um, the FBI presumably worked with whatever country that was. Duh. Armed FBI agents don't just randomly break down doors and arrest people in other countries.)
If corporations are people, aren't stockholders guilty of slavery?
One of the reports we were given has stated that the DSL modem variant of the DNSChanger Zlob trojan actually updates the firmware and it will effectively brick the modem when the FBI shuts its servers down.
That's between you, your isp and the modem manufacturer to resolve. Not the FBI.
I took it that they would need to be flashed potentially. I figured a mass purchase of DSL modems are like $20 each. I had room for some level of service in my $50, estimate per head. The number might be too low, but where poverty is rampant labor is cheap. If my $50 is off and it should be $75 I would agree that rural DSL customers aren't likely to have lots of extra money.
Almost all the country at this point has Broadband. The FCC has been taxing to make availability happen. Looking at the current budget it is $7.2b in total spend. I just don't see a few hundred million as a disaster. An annoyance yes, a disaster no.
If your PC is infected, tough shit.
There are a few Private DNS systems that live outside the 'official' DNS system that allow people to find what they want regardless of a domain being 'seized'. If they don't control the DNS system they can't remove widescale access to specific domain without actually getting to the physical server.
What I expect is going on is the FBI is going to kill access to these private DNS systems, or, they are engaging a global DNS logging system, or both.
Private DNS systems may be blocked for a short time until a way is engineered around them, or the FBI issues DMCA notices to companies for deploying their own DNS systems.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
That's completely irrelevant. The point is that the ISP needs to spend money to resolve this and in some cases spend a LOT of money to resolve it.
Kriston