If it was up to me...
...I'd keep the DNS servers, for a limited period of time, up but redirect all requests to a page giving instructions on how to fix the problem. I see no reason to support infected machines indefinitely.
The DNSChanger Working Group's replacement DNS servers were taken offline as scheduled on Monday, 9 July. However, rather than leaving an estimated 300,000 machines without internet services it seems that many ISP have configured their own substitute DNS servers, so that at least some pox-ridden machines still have a safety …
What a joke.
The MSM doesn't report TCPIP correctly -- ever.
For the PARANOID IDIOTS who actually are effected/infected.
1. REMOVE THE WORM OFF YOUR BOXEN
Use whatever method you want, I like D7 myself.
2. CALL YOUR ISP AND GET YOUR PRIMARY AND SECONDARY DNS, GO TO NETWORK SETTINGS AND TYPE THEM IN.
Now you aren't using the FBI's DNS Server.
I know that's hard for you all to understand, especially with all the misinformation
( Where misinformation = http://www.google.com/search?q=DNS+changer+false+flag )
by the media.
Damn. Your right, what was I thinking.
Except, while looking closely, the information appears to be based on videos by local TV stations
Anyway, you are right I wasn't sure if I should have stated it
Where You =
instead of
Where Misinformation =
The truth is I didn't want to point at specific websites, because some of them have legit arguments of other topics on them.
1. Last week I heard countless media stories completely misreporting this, that "all of these computers would lose their connection to the internet". !!?!?!?!?!? OH NOOOEEEESS?!?!?!?!?!?
2. For as many ISP's that would like to do the right thing and keep granny's infected box running, you'd think that Microsoft, or Dell, or HP, would buy up the IP addresses and redirect everyone to a page telling them that their computer was broken and to buy a new one ASAP!?!?! I bet they spend a lot more money shifting 300,000 PC's, this would be cheap advertising.
I completely agree that if those things aren't fixed by now then screw 'em. If all of this crap reporting hasn't triggered people into doing something then it is pretty unlikely that they're going to wake up with a clue at this point.
They know the IPs of the infected users so why not have each ISP cut off a few people each day (just have a shell script that adds 10-15 address to the firewall each day) then deal with the calls of people that no longer have a connection. Tech support will not be overwhelmed if done properly and they will no longer have to run these servers. Done right, it will be very painless and the most they'd need is one more Support Drone for a couple months.
Sigh.... while I can understand wanting to "help" customers by making sure they have access.... these machines are likely ridden with other spy/malware and the user is likely completely unaware "because everything works as normal".
If the ISP's really wanted to help, offer tech support calls who'll come and try and fix the infection for you. Yeah right, and then get sued because someones photos no longer open or something absurd like that. I know :(
I think the biggest problem to overcome is people who don't understand what the problem is. So the temporary DNS servers get switch off and they can no longer resolve hostnames. How many will just assume it's another virus and buy something like Norton, or just ignore it? Their ISP may well email them to say what to do, but those are very easy to spoof judging by all the spam "your mailbox has exceeded its limits" emails I get. El Reg obviously has quite a technically aware audience but I know some people think everything hangs off Google and even type URLs into the search box. Trying to explain the vagaries of DNS and DHCP to them can be very difficult. Personally I'd write to infected customers using ye olde paper letters complete with illustrated step-by-step instructions on how to find and fix the problem, and then have a helpline number if they get stuck.
My wife types urls in the google box.... she knows she shouldn't/doesn't need to but she does it because thats where the cursor is to start with...
Interestingly I found this means she hardly ever manages to typo a url as google will suggest the correct one pretty swiftly, and they do at least "try" and filter out bad pages too :)