The FBI will turn off the Internet on Monday (or not)
On Monday, the DNS Changer Working group will discontinue providing DNS service to hosts infected with the DNS changer virus. This new item led to a flood of news reports, which IMHO blow the entire affair out of proportion (the headline to this diary entry pretty much reflects a discussion I had today with a non technical person responding to one of these articles). Reading this article, it is likely that you will be one of the people being asked for advice as "how to protect yourself" from this virus. I find it useful to stick to these talking points:
The DNS Changer malware was spreading last year and changed DNS settings in computers it infected. After arresting the group behind this malware, the FBI, as permitted by a court order, worked with ISPs and the DNS Changer Working Group to continue to operate the DNS server that the infected systems pointed to. The hope was to identify and notify as many infected systems as possible. As expected, over the last few months, these efforts had diminishing results. The court order permitting the DNS server is about to expire and as a result, this stand in DNS server will not continue to operate.
If your system is still configured to use the bad DNS server, you will not be able to resolve host names. Even if you removed the malware, it is still possible that you didn't revert the DNS settings change.
For Windows users, this may actually not matter. According to some reports, Windows may actually revert to the default settings once the DNS server is turned off. If you used the bad DNS server, chances are that various entities tried to notify you. Google for example should have shown you a banner. If you don't see a warning banner when visiting Google, you are not one of the systems identified as infected.
Some ISPs setup their own DNS servers for DNS Changer victims. These DNS servers will remain active for now.
This malware is also old enough where Antivirus, if you run any, should have signatures for it.
In short: Don't worry. There are estimates of 250,000 infected systems based on data from the DNS changer working group. There are about 2,000,000,000 internet users. So about 0.01% of internet users are infected. In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet.
In a few cases routers may be affected by the change, and the router will use the wrong DNS server. Again: if you are connected to one of these routers, you should have seen warning banners. If you haven't seen warning banners at Google: Don't worry.
Lastly: Tell people to go to dcwg.org (short for DNS Changer Working Group.org). It has a little test to tell you if you are affected or not. It also got a lot of first hand information about this malware.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Shaun
Jul 9th 2012
1 decade ago
Joshua
Jul 9th 2012
1 decade ago
hacks4pancakes
Jul 9th 2012
1 decade ago
Scott
Jul 10th 2012
1 decade ago
John
Jul 10th 2012
1 decade ago
Compare it to your automobile -- when the "check engine" light goes on, does the computer immediately shut-down the vehicle, forcing one to hire a tow-truck to transport it to a service-area, or does the vehicle continue to operate, in some "degraded" mode, to allow the owner to self-transport the vehicle? In this case, since the FBI now "owns" the "rogue" DNS-servers, lighting-up the "check-engine" light (Google banner) gives the computer-owner the "new" information that there is a problem, that the computer-owner can either self-medicate, or choose to out-source the repair (virus-scan and "undo" the DNS changes).
What could be gained by "killing" an infected computer, given that the attack-vector ("wrong" answers from a DNS-server) has been suppressed?
Melvin
Jul 10th 2012
1 decade ago
People with compromised PCs who go weeks/months without realizing it are more likely to be causing accidents on the ol' information superhighway than those who realize sooner/aren't compromised to begin with.
I think the argument for keeping the DNS servers going for as long as they did is simply economic. The cost of doing so was cheaper than the costs associated with the disruption that would have occurred had the FBI not taken over the rogue DNS servers.
Arguably the amount of time the FBI ran these servers was unnecessary, and I wouldn't dispute that point.
I think over time this will be less of an issue as people migrate to mobile devices that have (theoretically) a reduced capacity for causing harm. We've basically been letting babies play with chainsaws. Those days are (eventually) coming to an end.
Steve
Jul 10th 2012
1 decade ago
No argument that they were running the servers for longer than they really needed to, but I think the intended purpose was met.
Also, my understanding was that all operations of the servers was handled by this international third party, and while the US may have provided some funding, it was not financing the entire operation. But I could be wrong.
Adam
Jul 10th 2012
1 decade ago