DNSchanger shutdown may kick 300,000 offline on Monday An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday. The FBI took control of the botnet in November after identifying its command servers and swapping them out for their own systems – as well as arresting six Estonians …
If that doesn't work, the next step is to send them a link to view "Live Nude Girls!" for free if they'll just install the attached browser app.
And if there's anybody left after that, send them a link to view "Live Nude Men! Free!" and I think you'll pretty much have covered all the bases.
"DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines." The servers are now run by the FBI, right? So change the DNS servers to point all infected users to the FBI, DCWG, or detection/cleanup sites/tools so they can get clean. Anyone who's not cleaned up after a week or two probably deserves to be knocked off the internet. Then shut down the site, no need to run it for 3 extra months.
While I appreciate the FBI hunting down these bastards, tossing them in jail, and keeping infected users running, I think they need to come up with quicker, more standardized methods of dealing with the affected/infected users so they can get back to normal. (Unless the feds are using the DNS requests to track down the even worse child porn/sex trafficker scum and toss them under the jail.)
Except if they do that they're actively interrupting the intended communications of the affected PCs. While now they're effectively invisible proxies, the second they start actively changing where the users get sent the companies who have to spend money on fixing the problem can start pointing fingers at the FBI for disrupting their businesses. Given the general technical knowledge of your average judge, trying to explain what's happening would be a losing battle for the feds.
I think your proposal has a lot of merit. Make an SOP along the lines of:
1. Take down the botnet.
2. Standup temporary fix to keep things working while they get cleaned up.
3. At some defined time later either 6 months or when number of infected users <= 300,000 (or some other acceptable number) reset DNS to point to a web page that basically says "Look fuckwit, we've given you a free ride for 6 months, but your your system is infected with malware. We're not letting you go anywhere else until you fix it, and in 30 days even this message will go away and you'll have nuttin'. Got it? Good. Now get your sorry arse in gear and get this fixed. We'll even offer you a handy clean up tool here: [insert link to clean up tool]. But if you don't trust us (and why should you, but apparently you already trusted someone you shouldn't have, get some you do trust to clean it up."
4. Turn off the servers when the timer expires.
maybe only selling PC's to those capable to using them would be a better idea.
The FBI should have pulled the plug ages ago. There would not be 300,000+ infections to date still because the owners would have either got the existing PC fixed or purchased a new one. Funny how people take more care once they have been stung.
Lots of information is on the www.dcwg.org site.
To detect it, go here for a simple yes/no test: http://www.dns-ok.us/
To fix it, run any of the usual online scanners - Stinger, TDSSKiller, Housecall etc. More details are on the http://www.dcwg.org/fix page.
...that's assuming the el-reg comments screener doesn't kill all of the URLs!
If it does, look for the DNSChanger Working Group website, D C W G dot org
There are two glaring reasons that they haven't redirected users.
1. The users would ignore the messages. Users have finally started to listen (at least some) when we tell them not to believe a pop-up or email. You really want us to have to tell them that this time it is real?
2. The legalities of hijacking a user's traffic are pretty clear in that it is illegal. Just acting as a proxy required a court order.
In the end, just cutting the existing computers off fulfills everything that all the suggestions above look to achieve with the major plus of less legal wrangling and red tape.
Obviously if you let someone use your DNS for months you can gather information about their browsing habits and not even have to do any surveillance paperwork.
Let me look at the question again "why did they take so long" don't know you got me, gimme a clue.
Set up dns locally for "facebook" to point to local web server then look at the failed HTTP requests, most will have a very good description on the page the user was on, that is not from visiting facebook just sites with face "Like" button or adverts on and there are few of them these days.
Wonder who is crunching the data?
Mines the hooded tin-foil-lined one.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
