DNS Changer infrastructure shutdown is a *good* thing

Filed Under: Featured, Law & order, Malware

Ghost computer image courtesy of ShutterstockThere has been a lot of concern expressed over the planned shutdown of DNS infrastructure formerly used by malware purveyors to redirect unsuspecting victims to further scams and make money.

In November 2011 the FBI busted six Estonians in an international crackdown called Operation Ghost Click.

The FBI seized control of the rogue DNS servers that were being used by the victim computers and ensured they produced correct DNS answers.

According to Internet Identity, a Washington-based security firm, over half of both the Fortune 500 and US federal government agencies still have machines pointing at these formerly malicious servers.

According to the DNS Changer Working Group there are still approximately 450,000 computers actively infected.

Compared to the 3+ million machines infected with Conficker, it really isn't so widespread as to cause mayhem if the servers are turned off.

The court order for the FBI to continue to provide this service (using US taxpayer dollars) expires on March 8th, 2012. What happens now?

Shocked computer user courtesy of ShutterstockIf the servers go down any machine currently relying on them for DNS name services will cease to be able to browse the web, read email or do just about anything on the internet at all.

While this might be a bit of a shock to the victims, isn't this ultimately a good thing?

You can't survive cancer by not getting tested. Keeping your machine infected so you can surf is not likely the best strategy.

This situation reminds me of the Windows Update shipped out on Patch Tuesday in February of 2010. Computers that were infected with the TDSS rootkit would get a blue screen of death (BSoD) after applying the security updates.

Was it disruptive to those with infections? Sure.

Yet these folks were infected with a rather nasty rootkit and were forced to take action to fix their PCs and improve their security and the security of others they may infect.

If DNS Changer was simply a DNS problem you could argue that providing them with DNS service is a kind gesture, but more often then not this malware came with additional payloads that could pose far greater risks to the user.

DNS Changer also prevents machines from getting security updates, which is a huge problem for those infected who are now at risk from lots of other malicious garbage.

I say turn them off. It will be a rude wake-up call, but an unfortunately necessary one.

We all have responsibility for our own security and safety and it isn't the job of the FBI or anyone else to coddle those who haven't taken the steps to ensure their own safety.



Ghost computer and shocked computer user images courtesy of Shutterstock.

, , ,

You might like

8 Responses to DNS Changer infrastructure shutdown is a *good* thing

  1. Michael S · 902 days ago

    Just have those DNS servers redirect users to a page that says "your machine was hijacked, here's what you need to do." Don't redirect all DNS, so you don't disrupt any business function (local servers, AD, etc), just pick the major public sites that will guarantee the user will soon see the message: all the major search engines, Facebook, Twitter, AOL etc. Give it 6 weeks and then cut them off.

  2. Sorcerer · 902 days ago

    It isn't an issue for the FBI to shut down these DNS servers on the posted schedule, except, perhaps for those 450,000 lazy users. The approximately 6 months (by March 8) of the FBI running these servers to enable an infected user base to get their act together and disinfect or rebuild has been very generous (of the judge). Sometimes Tough Love is what it takes to educate someone.

  3. pmshah · 901 days ago

    Unless you have your preference of DNS server most Modems, both ADSL and cable , will derive their DNS IP from the ISP. If the ISP itself is infected there isn't much a subscriber can do.

    I have 2 NICs and always set the DNS for my NICs via a startup batch file using netsh command line. This way one can ensure one starts with correct setup every time you boot a Windows PC.

  4. Microchip · 900 days ago

    Agreed Chester.
    If the FBI are continuing to run these DNS servers, presumably they are recording the IP addresses of computers issuing incoming DNS requests. I also assume that any computers using US Government IP addresses have already been de-loused. How about either informing the ISPs issuing those IP addresses or posting those IP addresses on the net?
    I like the suggestion made by Michael S but suspect that most people will not understand that the page is genuine. It would look like a new form of false Anti-Virus.

    • Jesse · 841 days ago

      They don't have to believe it's legitimate. Even if they think it's "Fake" they'll think they obviously have a virus that's telling them they have it :)

  5. Arnold Magee · 900 days ago

    I would like to change my ISP number occasionally perhaps four times a year. Any harm? Any suggestions? Thanks

  6. Tony · 899 days ago

    As for shutting them off perhaps an intermediate step of a captive portal approach? Resolve all DNS requests to a web host that servers up a page saying something along the lines of, "If you are reading this, you were infected..."

  7. bartz · 871 days ago

    How about pointing readers to the list of those DNS servers?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.