Botnet closure to cut 300,000 people off the web
By Nicole Kobie
Posted on 4 Jul 2012 at 08:12
The FBI will pull the plug on DNSChanger servers next week, leaving thousands of people without internet access - but such "tough love" is necessary to protect the internet, say experts.
The DNSChanger malware and botnet was shutdown in November last year, following an FBI-led investigation that saw the US police agency confiscate the accused cybercriminals' hardware.
DNSChanger does exactly what the name suggests, fiddling with DNS settings to maliciously redirect users via its command and control servers to different sites. On Monday, the FBI will shut down those servers, leaving as many as 300,000 PCs worldwide - and 19,589 in the UK, as of last month - with the wrong DNS settings and unable to access the web, unless they take the unusual step of directly entering IP addresses into the browser.
What to doFind out if you have an infection by running your antivirus, visiting a DNSChanger checking site or downloading a specialised tool to uncover and clean up the infection at the following sites:
Security firm BitDefender said infections remain at government organisations as well as Fortune 500 companies, but F-Secure's security advisor Sean Sullivan expects most of the afflicted computers will be further down the chain. "My suspicion is a lot of those [infected] machines are going to be tucked away in small/medium businesses, and no-one’s really paying close attention to it," Sullivan said. "Some sort of group-use machine that has gotten infected and no one is taking responsibility for the thing."
Consumers could of course also be affected, but many have already been alerted, as ISPs, Google and Facebook have been warning users.
The FBI was initially going to turn off the servers in March, but extended the clean-up period until Monday. That doesn't look likely to be extended again - and Sullivan doesn't think it should be, saying it was time for "tough love".
"The botnet is pretty much disabled, but if your machine is infected, it’s compromised – it’s an indication that the person who owns the computer doesn’t know it’s infected," he explained. "They never learn to patch up the machine, so it’s vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect."
"Cutting them off would force them to get ahold of tech support and reveal to them that they’ve been running a vulnerable machine that’s been compromised," he added.
David Emm, security researcher at Kaspersky Labs, agreed that it was worrying if anyone has missed an infection after this long - many months after it's been made public and been added to antivirus checkers. "If anybody hasn’t cleaned up, it’s a little bit worrying," he said. "Certainly, if it’s an organisation, you might wonder – it’s a bit scary if a business has defences in place that haven’t flagged this up six months down the line."
Still, while hundreds of thousands of PCs remain infected, there were many more when the FBI first started the operation. "It’s still a significant number, but it’s way behind the four million that was the estimate right at the start of this operation," Emm said.
If a PC does refuse to connect to the web on Monday, it's no reason to panic. After removing the malware (see sidebar), DNS settings simply need to be reset. "It’s not going to be completely hopeless, but IT desks better be ready," said Sullivan.
Emm warned IT support desks to expect confusion from users on Monday. "If they didn’t know at that point that they were infected, they may not immediately know on Monday, either."
This should be immediate standard practice for botnets. Nobody, other than the exploiter, benefits from having infected machines online. And what better way to let the user know there's a problem?
By dubiou on 4 Jul 2012
A better idea
Rather than pulling the plug on the servers, wouldn't it be better to modify them so that all DNS queries returned the IP address of a special FBI hosted website pointing out the problem, and providing links to the most popular free and paid for security products?
By PaulOckenden on 4 Jul 2012
That would be sensible.
If it was a music or film copyright issue, they'd be tracking and identifying each PC to sue the owner, but since it's not they'll just pull the plug and walk away.
There's no money in doing the right thing.
By cheysuli on 4 Jul 2012
then if people knew this is what happens when your PC is taken over then the malware/virus writers would just copy the page. you would never know if it was the feds or the bot owners showing you the page.
By SimonCorlett on 4 Jul 2012
Guessing we'll be busy next week
I would put a bet on at least a couple of people I know who will suddenly find their computer offline who will inevitably call me for tech support. I guess the same will be true for many if not all PCPro readers.
By skarlock on 4 Jul 2012
This is really bad!
By Lollita on 5 Jul 2012
So you think there is about 19k PC Pro readers in UK?
By arichter on 5 Jul 2012
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords