US ISPs Continue To Support DNSChanger Redirection Servers

darthcamaro writes "On Monday of this week, the primary servers that kept those infected with the DNSChanger malware were taken offline. It's a story that sparked lots of media hype with people claiming that hundreds of thousands of people could lose their Internet access. As it turns out, major U.S. ISPs including Verizon, Cox, AT&T and CenturyLink all kept their own DNSChanger servers online, protecting any users from losing their access."

What's the big deal?

[Jah-Wren+Ryel]

Don't all of those ISPs play that dirty trick of redirecting failed DNS lookups to advertising? Why don't they just set their DNSchanger servers to redirect all lookups to some page telling the user that their system is infected and how to download a tool to fix it?

Sure it will break everything but http(s) but if they are happy to do it for money why aren't they happy to do it for the common good?

Re:What's the big deal?

[NettiWelho]

Because if they meddled with end-user functionality they'd be swamped with angry customers demanding service and help. They take the cheap route that doesnt require additional effort on their part and lessens the incoming workload.

Re:What's the big deal?

[nurb432]

The big deal is they are keeping infected computers online.

These should have been cut off day one, with a message 'call your isp' and allow NO other traffic to protect the users data.

Re:What's the big deal?

[John+Bokma]

You and me both. But I know plenty of people who consider themselves "power users" and would consider such a move patronizing (and an accusation that they made a mistake; how could they!). And I know even a few who don't care about malware on their computer as long as it isn't too much in the way (some even call it cool to be a part of one or more botnets...).

Re:What's the big deal?

[CheshireDragon]

Then those ego maniacs need a slap in the face. If they were in fact a power user they wouldn't have let this happen to their system.

Oh for the love of god

[0racle]

Knock them off the internet already so they know they have a problem. DNSChanger is probably not the only issue they have.

Re:Oh for the love of god

[bmo]

Knock them off the internet already so they know they have a problem. DNSChanger is probably not the only issue they have.

This. I have *never* seen a compromised system with just one piece of badware. These people are probably running around with dozens, if not hundreds of pieces of evil in their machines.

Knocking them off the net would be doing them a favour.

--
BMO

Re:Oh for the love of god

[bmo]

Any algorithm to decide what machine is infected remotely is not going to be any smarter than the designer, and probably a lot less so.

The thing is that there is no algorithm at work at all except the infection itself.

If you paid attention at all to the goings-on of this issue at all, you'd know that DNS Changer does what it's titled to do: point at a (formerly) criminally controlled set of DNS machines. These have since been commandeered by authorities and maintained. The infected machines are being artificially propped up. To "disconnect" people, all they have to do is turn these off and let the end users fend for themselves.

So let me repeat: there is no "remote turnoff" being done here. The computers are left without a DNS when the fake DNS machines are turned off. If your computer does not point at a valid DNS when they turn off the fake DNS, it is 100 percent guaranteed that you have the DNS Changer malware.

--
BMO

Re:Oh for the love of god

[bmo]

All a user would need to do (assuming they were literate enough to get networking..and not know they were infected, is remap the DNS section of their IP config to resolv the issue?

If it was really, really simple, yes. But I suspect that the authors of DNS Changer already thought of that and will prevent you from simply changing it manually, or at least run a scheduled task to keep it set wrong (the Macintosh variant does this with a crontab).

It was spread as a "video codec" on porn sites and then as "funny video" sites, which I guess is more popular. The internet was built on porn and lolcats.

In any case, if you have an updated malware removal tool, it should remove it. Removal is effective.

If your DNS servers are in these range, then you are affected.

        64.28.176.1 - 64.28.191.254
        67.210.0.1 - 67.210.15.254
        77.67.83.1 - 77.67.83.254
        85.255.112.1 - 85.255.127.254
        93.188.160.1 - 93.188.167.254
        213.109.64.1 - 213.109.79.254

--
BMO

Why?

[Technoodle]

This is a fail. The problem will not go away if we keep coddling people that have infected machines.

"Loose"?

[danomac]

It's a story that sparked lots of media hype with people claiming that hundreds of thousands of people could loose their Internet access.

That was the problem initially, the computers were too loose and malware got in.

Commercial Decision

[sociocapitalist]

"...protecting any users from losing their access."

This had nothing to do with protecting users. This was because the ISPs didn't want to be overwhelmed with support calls and have to deal with X ignorant and pissed off customers who don't know DNSChanger from a hot dog and who will just blame the ISP for any outage.

What will it take?

[crow]

What will it take for people to start taking security seriously? One of these days a major botnet will wipe a few million hard drives with no warning. I'm not convinced that even that would do it.