Facebook joins Google in warning DNSChanger victims
Warnings follow decision to withdraw safety net on 9 July
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Federal authorities will not seek a further extension to a DNSChanger safety net, meaning an estimated 360,00 security laggards will be unable to use the internet normally unless they clean up their systems before a 9 July deadline.
DNSChanger changed the domain name system (DNS) settings of compromised machines to point surfers to rogue servers – which hijacked web searches and redirected victims to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet's command-and-control infrastructure back in November, as part of Operation GhostClick.
In place of the rogue servers, a bank of duplicate machines was set up to resolve internet look-up queries from compromised boxes. This system was established under a court order, which has already been extended twice. The move meant users of compromised machines could use the internet normally – but the safety net by itself did nothing to change the fact that infected machines needed to be cleaned.
At its peak as many four million computers were infected by DNSChanger. An estimated 360,000 machines are still infected and there's no sign that further extending the safety net will do any good, hence a decision to try other tactics while withdrawing the DNS safety net, which has served its purpose of granting businesses with infected machines time to clean up their act.
Last week Facebook joined Google and ISPs in notifying DNSChanger victims that they were surfing the net using a compromised machine.
"The warnings are delivered using a 'DNS Firewall' technology called RPZ (for Response Policy Zones)," Paul Vixie, chairman and founder of Internet Systems Consortium, told El Reg. "This allows infected users (who are using the 'replacement' DNS servers) to hear different responses than uninfected users (who are using 'real' DNS servers). We can control how an infected user reaches certain websites by inserting rules into the RPZ," he added.
More information – along with clean-up advice – can be found on the DNS Changer Working Group website here. ®
COMMENTS
Charlie Stross has it right
Having suffered only one unintended malware infection (my own stupid fault and a strong lesson learned) in 18 years of internet use, it used to be my position that users who fell victim to these things had nobody but themselves to blame. That the net was a lawless frontier where only those with experience and savvy and a healthy streak of paranoia should be comfortable.
To some extent that's still true. But given how everyone from individuals to organizations and governments have been encouraged to throw their entire existences onto a web that was doomed with security holes from the start, I wonder if it's fair to blame users any more. It is more or less impossible now for anyone in the West to live their life "off the grid". Internet access has become a utility, and almost a life essential, in the same way as gas or water. Is it any fairer to expect end users to keep on top of IT security news than to expect fridge users to understand how heat exchangers work? They've been sold a product, and their expectation is that it should work, and that they should be able to call on someone to fix it when it goes wrong.
I used to call that attitude ignorant, even stupid. Now I'm not so sure. Many of these people didn't ask for all this technology to become part of their lives in the way we early adopters did. But now it's there anyway and they're stuck with it, and the consequences of its shortcomings.
Go back and read the first two paragraphs of this article. It reads like the opening prelude to a Gibson or Suarez novel. But this isn't speculative fiction like it might have been just a few short years ago. This is the world. Everyone's world.
In a recent intervew Charlie Stross stated, "The world we live in is the future of the 1980s cyberpunks. This is not necessarily a good thing."
Situations like this ongoing DNSChanger SNAFU just underscore that point. Those of us who dreamed of living in this sort of future are no doubt loving it. But for everyone else, forced to live in it just to get by, many aspects of it are clearly not "a good thing."
Presumably
When they first set up the alt DNS servers they didn't actually have the balls to deadend the DNS requests to a holding page (with limited onward links to removal sites))until the virus was removed? No fix no useful Internet.
Harsh but fair in my book.
Then again I wonder how many of these machines are lightly used mail servers and the like that don't have active browser sessions?
Re: Presumably
So.... what's your answer? "What Google and Facebook are doing" has been doing for a non-trivial amount of time. Those that remain infected are so oblivious that it's not cleaning up more anymore. That's the whole point. These at the fist-thumpers you talk about but I don't see options other than forcing them to fix it on the pain of firing them as a customer. And no, you DON'T need every customer you can get because if they're too expensive to keep over this, they're costing you money in other ways already, that your management may or may not see as obvious, but will come out in the end. And, clearly, there's 360,000 of them spread all over the world, so they're obviously not all yours.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
