Internet Troubles Loom
This March 8th, the FBI is planning to unplug domain name servers (DNS) it set up to help eliminate malware from over half of Fortune 500 companies and government agencies still infected in early 2012. Those computers still infected with the Trojan, will not be able to access the Internet after the FBI shuts down their temporary servers.
…the feds replaced the criminals’ servers with clean ones that would push along traffic to its intended destination. Without the surrogate servers in place, infected PCs would have continued trying to send requests to aim at the now-unplugged rogue servers, resulting in DNS errors.
The malware, called DNSChanger Trojan, is said to illegally redirect traffic and prevent users from accessing the updates necessary to remove it. Without access to these critical patches, these large companies, government agencies, and home users are said to be more susceptible to hackers.
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. DNS translates queries for domain names (which are meaningful to humans) into IP addresses for the purpose of locating computer services and devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 184.108.40.206 (IPv4) and 2620:0:2d0:200::10 (IPv6).
This change could potentially leave a great number of Internet users without access to the Web. When I run across someone that is having internet issues, the very first thing I do is have them change their DNS. http://jet-computing.com/resource-links/opendns/
The feds received a court order in November, 2011 to replace the “rogue” servers with surrogate servers to operate “just long enough for companies and home users to remove DNSChanger malware from their machines.”
Rod Rasmussen, president of Internet security company Internet ID, has stated that there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”
A working group advising the FBI is said to be considering requesting an extension of the court order to give more time to users of infected machines to remove the malware.
Although this may indeed be a very real problem that Internet users must be vigilant to protect themselves from, depending on the government to provide servers when their own agencies are infected doesn’t seem like a trustworthy solution. Additionally, a previous private-government working group put together in 2009 to combat the Conficker Worm has accomplished very little as 3 million computers are still said to be infected.
These viruses are called Trojans because they are disguised as something friendly, enter computers, and then install malicious software. Someone with a healthy distrust of the government may see the FBI’s warning that millions will be cut off from the Internet as a Trojan Horse itself so that they may retain control over the new servers. After all, if the FBI is controlling the “legitimate” servers, wouldn’t they have access to all the traffic information of individual users and large corporations?
This situation reminds me of the Windows Update shipped out on Patch Tuesday in February of 2010. Computers that were infected with the TDSS rootkit would get a blue screen of death (BSoD) after applying the security updates.
Was it disruptive to those with infections? Sure.
Yet these folks were infected with a rather nasty rootkit and were forced to take action to fix their PCs and improve their security and the security of others they may infect.
If DNS Changer was simply a DNS problem you could argue that providing them with DNS service is a kind gesture, but more often then not this malware came with additional payloads that could pose far greater risks to the user.
DNS Changer also prevents machines from getting security updates, which is a huge problem for those infected who are now at risk from lots of other malicious garbage.
I say turn them off. It will be a rude wake-up call, but an unfortunately necessary one.
We all have responsibility for our own security and safety
What is the DNS Changer Malware?
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring March 8, the Internet Systems Corporation is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
How Can I Protect Myself?
This page describes how you can determine if you are infected, and how you can clean infected machines. To check if you’re infected, Click Here. If you believe you are infected, here are instructions on how to clean your computer.