Slashdot Mirror
FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?
nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
Yeah, because that will teach them the right message. There are thousands of viruses out there that say "YOU'VE BEEN INFECTED WITH 2312312434 VIRUSES, PURCHASE TOTALLY LEGIT REGISTRY-SCANNER TO FIX" adding a legitimate message only confuses users.
In fact, if I recall correctly, the major variants of DNS changer pop up windows saying you need to install X malware that pretends to fix problems.
Taxation is legalized theft, no more, no less.
I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?
Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.
Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected
The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.
It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.
Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.
The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Of course the problem is THAT would open up a whole other can of worms.
Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.
Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.