Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?

Posted by Soulskill on from the time-has-been-given dept.

nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"

16 of 140 comments (clear)

  1. About time... by Guspaz · · Score: 4, Insightful

    They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?

    1. Re:About time... by aix+tom · · Score: 5, Interesting

      Of course the problem is THAT would open up a whole other can of worms.

      Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.

      Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.

    2. Re:About time... by Hentes · · Score: 3, Funny

      They can sign the message with the FBI key so users can ensure its validity.

    3. Re:About time... by dark12222000 · · Score: 3, Insightful

      Of course, because the sorts of people who run infected machines constantly are well aware of things like signing keys.

  2. Yes, it should shut them down by Todd+Knarr · · Score: 5, Insightful

    It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.

    1. Re:Yes, it should shut them down by Todd+Knarr · · Score: 4, Insightful

      http://www.dcwg.org/
      It's been in every antivirus program update since January. It's been covered on every PC-related Web site out there. Facebook has been warning anyone who visits while infected about the problem since early June. It's been the Malicious Software Removal Tool Microsoft sends monthly through Windows Update for months now. The only people who don't know about the problem are the ones who've been willfully refusing to look at anything related to the security of their computers. Well, you can't safely do that. That's been, or should have been, common knowledge for the last 20 years.

    2. Re:Yes, it should shut them down by Anonymous Coward · · Score: 3, Insightful

      Ah, but grandma-joesixpack has been on the internet with Windows for years. She's been burned. She now ignores ALL sorts of warnings because she figures they're more of those damn malware clicks and emails that she sees all the time and must never click.

      Are they warning people on the paper bill from the ISP? That's the only thing that's going to do it. On the same page with the payment information -- because there's always advertising shit included that she knows to toss straight to the bin. Worded like "WE ARE GOING TO CUT YOU OFF BECAUSE YOUR COMPUTER IS MALFUNCTIONING. CALL US FOR HELP GETTING IT FIXED."

      Note, it must not say only "CALL US", because that might sound like they simply want to rag on her, not help. Even the "HELP" bit is tenuous, because this could just be some fix-it scam. Grandma is pretty practiced at dealing with outfits trying to sell her more than she wants. Vinyl siding on down.

      Less than that isn't going to work. Especially against the noise of the rest of her life. She gotten through her decades by ignoring quite a bit. Lot of people do.

      And yup, a lot of people don't do paper bills anymore anyway so that's got limited use too. But the point is to illustrate just how the heck people ignore this stuff, and why it actually is really hard it is to get SIGNAL through all the NOISE they've learned to block out. It's not just facepalm-How-Can-They-Be-So-Stupid?!. It's a system and you've got to use the right ports to connect.

  3. Re:Agree by Darkness404 · · Score: 5, Interesting

    Yeah, because that will teach them the right message. There are thousands of viruses out there that say "YOU'VE BEEN INFECTED WITH 2312312434 VIRUSES, PURCHASE TOTALLY LEGIT REGISTRY-SCANNER TO FIX" adding a legitimate message only confuses users.

    In fact, if I recall correctly, the major variants of DNS changer pop up windows saying you need to install X malware that pretends to fix problems.

    --
    Taxation is legalized theft, no more, no less.
  4. Re:Agree by Darkness404 · · Score: 3, Insightful

    Sure, but how many ISPs really have the resources to fix this problem? After all, an ISP deals with the network side of things, not fixing viruses. If the ISP's DNS server is down, you call your ISP. If the ISP cut a fiber optic cable and your internet is down, you call your ISP. If your HDD is broken, you don't call your ISP. If you get a virus, you don't call your ISP. Etc.

    Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...

    --
    Taxation is legalized theft, no more, no less.
  5. More to the story? by dualboot · · Score: 5, Interesting

    I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?

    Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.

  6. Re:Minor question. . . . by Todd+Knarr · · Score: 5, Informative

    The FBI didn't change any settings. The malware did that, it alters the infected computer's DNS settings to use a set of servers run by the malware authors. What the FBI did was take over those servers and replace the malicious software running on them with software that does normal DNS so infected computers were no longer being redirected to the malware author's sites. And now the FBI's looking at shutting down the servers entirely, which would leave the infected computers with no DNS servers at all.

  7. Re:Why not set up interstitial pages? by John+Bokma · · Score: 3, Informative

    DNS servers don't return pages. What you probably mean is to return the same IP address for each and every DNS request, an IP address that hosts a web server that tells people that their computer has been infected. Might be possible to do the same for other protocols, e.g. POP3 will return daily a new email that their computer has been infected, etc.

    --

    Perl Programmer for hire
  8. Re:The right thing to do... by Qzukk · · Score: 4, Funny

    If you tell them to trust that kind of things

    Clearly, then, they should redirect everyone to MyCleanPC ;)

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  9. Cleaning infected computers may not be enough/ by nuckfuts · · Score: 4, Informative

    The DNSChanger malware can change DHCP server settings on some routers. If your home router has been tampered with, it may continue to provide rogue DNS settings even after your PC has been cleaned or reinstalled.

  10. Re:Why not set up interstitial pages? by vlm · · Score: 3, Interesting

    Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected

    The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.

    It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.

    Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.

    The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  11. Pull the Plug; Go Catch Crooks by reallocate · · Score: 5, Insightful

    For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.

    Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.

    Pull the plug and go catch some crooks.

    --
    -- Slashdot: When Public Access TV Says "No"