back to article DNSchanger shutdown may kick 300,000 offline on Monday

An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday. The FBI took control of the botnet in November after identifying its command servers and swapping them out for their own systems – as well as arresting six Estonians …


This topic is closed for new posts.
  1. Comments are attributed to your handle

    Finally. They should have done it months ago.

    1. Paul Crawford Silver badge

      Indeed. Some how I don't think it will be the grandparent generation who are the worst affected...

  2. Velv Silver badge

    "so expect a call from your aging relatives on Monday, asking why they can't make the internets work"

    Except Skype won't be working either, so Granny and Grandpa won't be able to call. Not all bad news then ...

    1. Anonymous Coward
      Anonymous Coward

      Re: "Not all bad news then ..."

      Repeat after me:

      "My Superior Knowledge

      Carries with it

      A Moral Obligation

      To help those

      Whom I consider stupid."

      Thank you.

      Now go and call Grannie (on the phone) to ask if her Internets work OK.

      In all probability you owe her one, you know...

  3. Cupboard

    Am I missing something?

    If this was a botnet designed to supply adverts among other things, couldn't they just spam the infected users with adverts telling them what's up?

    1. Synja

      Re: Am I missing something?

      @cupboard that makes sense, but it's illegal.

    2. Anonymous Coward
      Anonymous Coward

      Re: Am I missing something?

      They tried sending them messages, but the users dismissed them as a scam....Oh, wait a minute......

    3. Barry Tabrah

      Re: Am I missing something?

      Informing the user never works. Send them ads for Elf Bowl 4 - the Santinator and link them to the cleaning tools and they'll install them in a flash, practically clearing the infected PCs in a day. Then break early for a pint.

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I missing something?

        If that doesn't work, the next step is to send them a link to view "Live Nude Girls!" for free if they'll just install the attached browser app.

        And if there's anybody left after that, send them a link to view "Live Nude Men! Free!" and I think you'll pretty much have covered all the bases.

  4. Anonymous Coward
    Anonymous Coward

    People have been given plenty of notice

    Now they need to check their server IP addresses and clean any crap out of their PCs before it's too late though it would be nice to eliminate 1/3 of Net traffic for awhile.

    1. Oliver Mayes

      Re: People have been given plenty of notice

      1/3? You think there are less than 1 million pc's on the internet?

  5. Anonymous Coward
    Anonymous Coward

    Simple fix?

    "DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines." The servers are now run by the FBI, right? So change the DNS servers to point all infected users to the FBI, DCWG, or detection/cleanup sites/tools so they can get clean. Anyone who's not cleaned up after a week or two probably deserves to be knocked off the internet. Then shut down the site, no need to run it for 3 extra months.

    While I appreciate the FBI hunting down these bastards, tossing them in jail, and keeping infected users running, I think they need to come up with quicker, more standardized methods of dealing with the affected/infected users so they can get back to normal. (Unless the feds are using the DNS requests to track down the even worse child porn/sex trafficker scum and toss them under the jail.)

    1. Oliver Mayes

      Re: Simple fix?

      Except if they do that they're actively interrupting the intended communications of the affected PCs. While now they're effectively invisible proxies, the second they start actively changing where the users get sent the companies who have to spend money on fixing the problem can start pointing fingers at the FBI for disrupting their businesses. Given the general technical knowledge of your average judge, trying to explain what's happening would be a losing battle for the feds.

    2. Tom 13

      Re: Simple fix?

      I think your proposal has a lot of merit. Make an SOP along the lines of:

      1. Take down the botnet.

      2. Standup temporary fix to keep things working while they get cleaned up.

      3. At some defined time later either 6 months or when number of infected users <= 300,000 (or some other acceptable number) reset DNS to point to a web page that basically says "Look fuckwit, we've given you a free ride for 6 months, but your your system is infected with malware. We're not letting you go anywhere else until you fix it, and in 30 days even this message will go away and you'll have nuttin'. Got it? Good. Now get your sorry arse in gear and get this fixed. We'll even offer you a handy clean up tool here: [insert link to clean up tool]. But if you don't trust us (and why should you, but apparently you already trusted someone you shouldn't have, get some you do trust to clean it up."

      4. Turn off the servers when the timer expires.

  6. Anonymous Coward
    Anonymous Coward

    hijack the DNS request that try to query the C&C Center DNS.

    The ISP could do this: any DNS request going to those IP address is to re-routed an alternative DNS server.

    1. Allan George Dyer Silver badge

      Could, but shouldn't

      Isn't interception of communications illegal? Law enforcement doing this under a court order for a minimum period with accountability in specific exceptional circumstances is acceptable, but giving carte blanch to thousands of ISPs is dangerous, and a lot more work.

  7. Anonymous Coward
    Anonymous Coward

    maybe only selling PC's to those capable to using them would be a better idea.

    The FBI should have pulled the plug ages ago. There would not be 300,000+ infections to date still because the owners would have either got the existing PC fixed or purchased a new one. Funny how people take more care once they have been stung.

    1. NogginTheNog
      Thumb Down

      "maybe only selling PC's to those capable to using them would be a better idea."

      They sell cars to people with licences to drive, but many of them still manage to crash them :-S

  8. sniperpaddy

    So what is the fix?

    So what is the fix? Edit the host file?

    1. PC Paul

      Re: So what is the fix?

      Lots of information is on the site.

      To detect it, go here for a simple yes/no test:

      To fix it, run any of the usual online scanners - Stinger, TDSSKiller, Housecall etc. More details are on the page.

      ...that's assuming the el-reg comments screener doesn't kill all of the URLs!

      If it does, look for the DNSChanger Working Group website, D C W G dot org

  9. boltar


    "as well as arresting six Estonians …"

    I bet they were russians living in estonia.

  10. Anonymous Coward
    Anonymous Coward

    Just route all requests to a web page telling them why they're screwed

    Why not just route almost all DNS requests to an intercept web page that explains what's up and how to fix it? Allow DNS requests to sites that provide the tools linked to in the intercept web page.

  11. Anonymous Coward
    Anonymous Coward


    Humm... I wonder what country/location most of these infected machines are in?

    It would help in being pro-active.

  12. vic 4


    that they are turning it off, gives a good opportunity to snoop on people!

  13. Harthin

    It isn't that hard to see why they haven't redirected users

    There are two glaring reasons that they haven't redirected users.

    1. The users would ignore the messages. Users have finally started to listen (at least some) when we tell them not to believe a pop-up or email. You really want us to have to tell them that this time it is real?

    2. The legalities of hijacking a user's traffic are pretty clear in that it is illegal. Just acting as a proxy required a court order.

    In the end, just cutting the existing computers off fulfills everything that all the suggestions above look to achieve with the major plus of less legal wrangling and red tape.

  14. Volker Hett

    Where is the problem?

    They'll probably don't know what happened and call, turn the computer off and on again and then call somebody to fix the internet!

  15. npo4

    They could hand over the IP to a free DNS provider

    They could give the IP addresses to a public DNS service like OpenDNS or Google's DNS

  16. FrancisT

    A tool to help network admins

    If you are running a network, my company - ThreatSTOP - has a tool to help you figure out which computers on the network are infected with DNS Changer.

  17. Anonymous Coward

    We'll get round to it soon enough.

    Obviously if you let someone use your DNS for months you can gather information about their browsing habits and not even have to do any surveillance paperwork.

    Let me look at the question again "why did they take so long" don't know you got me, gimme a clue.

    Set up dns locally for "facebook" to point to local web server then look at the failed HTTP requests, most will have a very good description on the page the user was on, that is not from visiting facebook just sites with face "Like" button or adverts on and there are few of them these days.

    Wonder who is crunching the data?

    Mines the hooded tin-foil-lined one.

  18. phreezerburn

    I'll have two orders of DNS jacking to go please...

    The Yanks already copied the Chinese on this and the Canadian government tried to get it passed under the guise of tech to lock down the trafficking of child porn that they pinky swear promise to not use anywhere else in Canada... maybe.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019