Feds apply for DNSChanger safety net extension
Apply for extension before millions of infected PCs are disconnected
Federal authorities have applied for permission to extend the operation of a safety net that allows machines infected by the DNSChanger Trojan to surf the net as normal beyond a 8 March deadline.
DNSChanger changed an infected system's domain name system (DNS) settings to point towards rogue servers that hijacked web searches and pointed surfers towards various sleazy websites, as part of a long running click-fraud and scareware punting scam. The FBI stepped in and dismantled the botnet's command-and-control infrastructure back in November, as part of Operation GhostClick. As many as 4 million machines were infected as the peak of the botnet's activity.
Rogue DNS servers were replaced by legitimate machines at the time of the takedown operation but nothing was done to disinfect infected PCs, a particular concern since the DNSChanger malware is designed to disable security software, leaving infected machines at heightened risk of infection.
Barring court permission, legitimate servers that were set up to replace rogue DNS servers will be taken offline on 8 March, 120 days after the initial takedown operation. The feds have applied (PDF) to extend this safety net until 9 July.
A study by security firm Internet Identity revealed that at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012, findings that suggest the post-Ghost Click clean-up operation is running behind schedule. Barring an extension in the operation of the surrogate DNS servers these infected machine rely upon, surfers will be unable to browse the web or send emails as normal after 8 March, unless the DNS settings of compromised computer are restored to their original state.
More information on how to clean up infected machines, and other resources, can be found on the DNS Changer Working Group website here.
Operation Ghost Click led to the arrest of six Estonian nationals, accused of manipulating millions of infected computers using DNSChanger. The alleged ringleader of the group, Vladimir Tsastsin, and another suspect have been already cleared for extradition to the US. Baltic Business News reports that local courts approved the extradition of the four remaining suspects last week. These extraditions remain subject to government approval but this is all but assured, the local news site reports.
Tsastsin previously ran controversial domain registration firm EstDomains, whose accreditation was pulled by ICANN back in 2008 over concerns that EstDomains had become a haven for cybercriminals.
KrebsOnSecurity has a copy of the indictment against Tsastsin and other suspects in the GhostClick case here (PDF). ®
Stop messing about and get these machines properly cleaned up !
I remember when DNS changer trojans first hit my campus... I sent out warnings to people telling them that their machines were infected, and that they need to sort themselves out pronto. Typical responses (from those that replied):
"Why should I bother ? My machine appears to be working at the moment !"
"What's it to you if I use different DNS servers ?"
"No, I think you'll find that YOUR DNS servers are infected" - that was from a computer science student who thought OpenBSD was prone to viruses just like Windows *facepalm*.
Okay, I've tried to be reasonable about this, time to break stuff... I reprogrammed the firewalls to only allow outbound DNS requests from the official campus servers, and a few staff workstations for testing/diagnostic purposes. OpenDNS was also allowed, as some folks were using this legitimately.
It's funny how people sat up and started paying attention when their internets suddenly broke.
Helpdesk was instructed on how to check which DNS servers were being used, anyone not using the normal servers for their part of campus (or OpenDNS) had to get their machine checked over and/or rebuilt.
Leaving all those infected machines unfixed for so long isn't doing anybody any favours, least of all the affected users. Trojans enjoy company, and you can bet quite a few of those machines will be riddled with other nasties.
Turning off the replacement DNS servers will prevent the infected (and unprotected) machines from resolving any URLs... Therefore protecting them from hurting themselves further, or sending more spam.
Sounds like a win win for the rest of the intarweb. Pull the plug!
March 8th should be payback for all the damage that unmaintained computers are doing. Buy a computer that you can maintain or don't plug it in to the rest of the world.