FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?

← Back to Stories (view on slashdot.org)

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?

Posted by Soulskill on Wednesday July 4, 2012 @08:18AM from the time-has-been-given dept.

nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"

29 of 140 comments (clear)

Min score:

Reason:

Sort:

About time... by Guspaz · 2012-07-04 08:24 · Score: 4, Insightful

They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?
1. Re:About time... by aix+tom · 2012-07-04 10:14 · Score: 5, Interesting
  
  Of course the problem is THAT would open up a whole other can of worms.
  Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.
  Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.
2. Re:About time... by Hentes · 2012-07-04 10:27 · Score: 3, Funny
  
  They can sign the message with the FBI key so users can ensure its validity.
3. Re:About time... by dark12222000 · 2012-07-04 10:35 · Score: 3, Insightful
  
  Of course, because the sorts of people who run infected machines constantly are well aware of things like signing keys.
4. Re:About time... by Tim+the+Gecko · 2012-07-04 14:14 · Score: 2
  
  There are probably a handful of sites - Google, MSN, Facebook, etc - that practically all of those people will access. Why not ask those companies to post some information about how to check if you're infected and/or how to fix the infection? It seems like this thing could be fixed pretty easily if you had the biggest sites on the Internet on board.
  People don't trust an email from "teh FBI" but they sure as hell trust what comes up on the Google or Facebook home page.
  Or is it unthinkable to ask the biggest players on the Internet to be good net citizens and help out a little bit for the good of everybody?
  You mean they should do something like what Google and Facebook are doing?
Agree by JcMorin · 2012-07-04 08:27 · Score: 2

They should be redirected for all their query to a page telling them they are infected and they will be cut off...
1. Re:Agree by Darkness404 · 2012-07-04 08:30 · Score: 5, Interesting
  
  Yeah, because that will teach them the right message. There are thousands of viruses out there that say "YOU'VE BEEN INFECTED WITH 2312312434 VIRUSES, PURCHASE TOTALLY LEGIT REGISTRY-SCANNER TO FIX" adding a legitimate message only confuses users.
  
  In fact, if I recall correctly, the major variants of DNS changer pop up windows saying you need to install X malware that pretends to fix problems.
  
  --
  Taxation is legalized theft, no more, no less.
2. Re:Agree by Darkness404 · 2012-07-04 08:39 · Score: 3, Insightful
  
  Sure, but how many ISPs really have the resources to fix this problem? After all, an ISP deals with the network side of things, not fixing viruses. If the ISP's DNS server is down, you call your ISP. If the ISP cut a fiber optic cable and your internet is down, you call your ISP. If your HDD is broken, you don't call your ISP. If you get a virus, you don't call your ISP. Etc.
  
  Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...
  
  --
  Taxation is legalized theft, no more, no less.
Yes, it should shut them down by Todd+Knarr · 2012-07-04 08:28 · Score: 5, Insightful

It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.
1. Re:Yes, it should shut them down by YrWrstNtmr · 2012-07-04 08:35 · Score: 2
  
  It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem.
  
  6 months warning? Where? I guarantee, if I were to go into work on Monday and say "hey, have you heard about that whole DNSChanger thing?"...2, maybe 3, out of 75 would say yes. And those because they read it here.
2. Re:Yes, it should shut them down by Todd+Knarr · 2012-07-04 08:58 · Score: 4, Insightful
  
  http://www.dcwg.org/
  It's been in every antivirus program update since January. It's been covered on every PC-related Web site out there. Facebook has been warning anyone who visits while infected about the problem since early June. It's been the Malicious Software Removal Tool Microsoft sends monthly through Windows Update for months now. The only people who don't know about the problem are the ones who've been willfully refusing to look at anything related to the security of their computers. Well, you can't safely do that. That's been, or should have been, common knowledge for the last 20 years.
3. Re:Yes, it should shut them down by Anonymous Coward · 2012-07-04 09:38 · Score: 3, Insightful
  
  Ah, but grandma-joesixpack has been on the internet with Windows for years. She's been burned. She now ignores ALL sorts of warnings because she figures they're more of those damn malware clicks and emails that she sees all the time and must never click.
  Are they warning people on the paper bill from the ISP? That's the only thing that's going to do it. On the same page with the payment information -- because there's always advertising shit included that she knows to toss straight to the bin. Worded like "WE ARE GOING TO CUT YOU OFF BECAUSE YOUR COMPUTER IS MALFUNCTIONING. CALL US FOR HELP GETTING IT FIXED."
  Note, it must not say only "CALL US", because that might sound like they simply want to rag on her, not help. Even the "HELP" bit is tenuous, because this could just be some fix-it scam. Grandma is pretty practiced at dealing with outfits trying to sell her more than she wants. Vinyl siding on down.
  Less than that isn't going to work. Especially against the noise of the rest of her life. She gotten through her decades by ignoring quite a bit. Lot of people do.
  And yup, a lot of people don't do paper bills anymore anyway so that's got limited use too. But the point is to illustrate just how the heck people ignore this stuff, and why it actually is really hard it is to get SIGNAL through all the NOISE they've learned to block out. It's not just facepalm-How-Can-They-Be-So-Stupid?!. It's a system and you've got to use the right ports to connect.
4. Re:Yes, it should shut them down by Todd+Knarr · 2012-07-04 10:01 · Score: 2
  
  If grandma-joesixpack is that computer-illiterate, she shouldn't have to be watching out. She should be letting someone more computer-literate set her computer up, including antivirus and automatic updates and all, and when the AV program and Microsoft's MSRT started alerting she should've called said computer-literate helper to fix things.
  And why would we assume she's computer-illiterate? My mother knows enough to call for the tech when things get weird, and she's 70 and just got her first computer. My generation is pushing 50, and we grew up with computers around. Which means my parents' generation had to deal with kids bringing homework from their computer classes home. We're past the point where "they don't know about computers" is a legitimate excuse. If by now you don't know at least a bit about computers and haven't built up a list of people you trust to help you with them and give you advice on them, you're beyond help.
5. Re:Yes, it should shut them down by Gaygirlie · 2012-07-04 18:33 · Score: 2
  
  Why can't the ISP's intercept all dns request packets to the infected servers and redirect the requests to their own dns server that has been programmed to send all requests save a few exceptions to a web page with explicit instructions and hard coded access to the websites necessary for removal of the virus and ONLY these websites. People can follow rudimentary instructions if they have to.
  Because these computers likely have a bunch of other malware and viruses on them already and thus it's best to just have some geek to do a proper clean-up. It's the best option for all involved.
Why not set up interstitial pages? by tlhIngan · 2012-07-04 08:30 · Score: 2

Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected and how to clean it.
They have to click again in order to get through. Set the TTL of the DNS caching to nil so it happens practically every link - simply bombard them through annoyance?
Oh, and sure it'll break stuff like e-mail and all sorts of other non-HTTP protocols, which is good because they'll hopefully call tech support or something.
1. Re:Why not set up interstitial pages? by bolt_the_dhampir · 2012-07-04 08:42 · Score: 2
  
  So how do you make a "You're infected with X" page people actually trust?
2. Re:Why not set up interstitial pages? by bjb_admin · 2012-07-04 08:46 · Score: 2
  
  It would probably be better to redirect them to Rick Roll (No I will not put the URL here).
3. Re:Why not set up interstitial pages? by John+Bokma · 2012-07-04 08:57 · Score: 3, Informative
  
  DNS servers don't return pages. What you probably mean is to return the same IP address for each and every DNS request, an IP address that hosts a web server that tells people that their computer has been infected. Might be possible to do the same for other protocols, e.g. POP3 will return daily a new email that their computer has been infected, etc.
  
  --
  
  Perl Programmer for hire
4. Re:Why not set up interstitial pages? by vlm · 2012-07-04 09:20 · Score: 3, Interesting
  
  Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected
  
  The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.
  It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.
  Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.
  The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
5. Re:Why not set up interstitial pages? by Nimey · 2012-07-04 09:48 · Score: 2
  
  Redirect all their queries to a page with Goatse and an admonishment to clean their computers.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
6. Re:Why not set up interstitial pages? by bill_mcgonigle · 2012-07-04 10:19 · Score: 2
  
  So how do you make a "You're infected with X" page people actually trust?
  Don't offer to sell them anything and point this out.
  Tell them to contact their local computer support folks but don't make specific recommendations.
  Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
7. Re:Why not set up interstitial pages? by WaffleMonster · 2012-07-04 20:51 · Score: 2
  
  Don't offer to sell them anything and point this out.
  Tell them to contact their local computer support folks but don't make specific recommendations.
  Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.
  When something like this happens most peoples machines who had been compromised were compromised as a result of a user taking an action most of us would sigh and laugh at.
  They did not have the awareness to keep from being suckered or con'd or whatever so what makes you think they will have the awareness to parse the difference between the FBI doing it and a real attacker?
  It simply does not work to try and push the official message thing it only makes things worse because now the phishers are able to leverage FBI policy to maximum effect.
  Besides if your machine is owned going to the FBI web site to check validity is a non-starter.
  The 1-800 number is still a reference an attacker may control. They may even decide to sucker a few people into calling the "FBI switchboard" in order to rack up service charges on their phone bill.
  If you want to do something like this the verification protocol needs to be out of band and well known to the public. Most importantly it needs to be in place before it is ever needed.
  Personally I think a central method of verifying government actors and actions as legitimate in the sense it was not something made up by an imposter would have a lot of value outside this specific issue.
More to the story? by dualboot · 2012-07-04 08:49 · Score: 5, Interesting

I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?
Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.
Re:Minor question. . . . by Todd+Knarr · 2012-07-04 08:50 · Score: 5, Informative

The FBI didn't change any settings. The malware did that, it alters the infected computer's DNS settings to use a set of servers run by the malware authors. What the FBI did was take over those servers and replace the malicious software running on them with software that does normal DNS so infected computers were no longer being redirected to the malware author's sites. And now the FBI's looking at shutting down the servers entirely, which would leave the infected computers with no DNS servers at all.
Re:The right thing to do... by Qzukk · 2012-07-04 08:57 · Score: 4, Funny

If you tell them to trust that kind of things
Clearly, then, they should redirect everyone to MyCleanPC ;)

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
Cleaning infected computers may not be enough/ by nuckfuts · 2012-07-04 09:10 · Score: 4, Informative

The DNSChanger malware can change DHCP server settings on some routers. If your home router has been tampered with, it may continue to provide rogue DNS settings even after your PC has been cleaned or reinstalled.
Pull the Plug; Go Catch Crooks by reallocate · 2012-07-04 09:30 · Score: 5, Insightful

For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.
Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.
Pull the plug and go catch some crooks.

--
-- Slashdot: When Public Access TV Says "No"
It matters for the underserved internet community by kriston · 2012-07-04 16:13 · Score: 2, Informative

It really does matter for the underserved internet community who rely on affordable and sometimes outdated DSL modems for their access to the internet in rural areas. Many of these DSL modems have been infected by a scary variant of the DNSChanger Zlob trojan that actually changes the DSL modem's DNS settings and changes the DSL modem's password to an unguessable value. The most detrimental effect of this infection is a virtually irreversible firmware change in an unknown but probably high number of DSL modems worldwide which are permanently affixed to the rogue DNS servers, now siezed and run by the FBI as clean, boring caching DNS servers. They will be shut down July 9 because the FBI doesn't want to be an ISP, which has the effect of cutting off an unknown number of people from the internet.
It's not a small problem. It's a big problem. The cost of help desk calls alone will be devastating to the disadvantaged and underserved internet community, i.e., rural America, who may be using the affected DSL modems infected by this Zlob trojan variant.
The most important note you must realize about this problem is that DNSChanger actually changed the DNS servers on the DSL modem. Just in case you don't realize this: the DSL modem provides the DNS server info to the computer in the home. While the computer may no longer be infected, the DSL modem is configured to use the DNSChanger rogue DNS servers which the FBI siezed and will shut down on July 9.
It's a really big deal and we should treat it like that.
You can check more out here: http://www.dns-ok.us/

--
Kriston
Re:why no redirection to a warning page? by hawkinspeter · 2012-07-04 19:51 · Score: 2

But if it affected every page you tried to visit, you'd eventually want to get your computer fixed, wouldn't you?

--
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe