Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs?

Soulskill posted more than 2 years ago | from the time-has-been-given dept.

Government 140

nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"

cancel ×

140 comments

Sorry! There are no comments related to the filter you selected.

Good... (0)

Anonymous Coward | more than 2 years ago | (#40544207)

By seeing some of the stuff I read on news comment boards etc, the internet should be culled

If there was only some way to do it more selectively

Re:Good... (2)

Jetra (2622687) | more than 2 years ago | (#40546097)

As much as I'm glad of the herding of cattle, don't you think that this could be a premise for the government to take down other sites? Such as YouTube or possibly Face under the suspicion of fradulent activity which isn't too far-fetched seeing as how there are tons of videos on YouTube concerning taking down websites, creating viruses and the like while for Facebook there are scammers abound?

I'm giving a fair warning now: You may want to put your guard up while you still can. The government is taking down less legitamite sites in an attempt to pull the entire internet under one rule - Congressional rule. If we don't react, even without consideration for this incident, you may find yourself losing your rights online and possibly your computer which could be a potential cache of pirated software.

I'm not trying to be a fear-monger, I'm just stating the fact: The government wants to control the internet. While the FBI is taking down smaller sites, we neglect to see the bigger picture: it's going to be a domino effect. First with MegaUpload, then that other site (I can't remember), and now this? If this doesn't bring up red alerts in your head, you might as well just hand over your computer to Congress because you are ignoring the nuke with the keys turned.

Chances are... (1)

Anonymous Coward | more than 2 years ago | (#40544223)

those machines are primarily used to connect to Facebook... so allow me to say:
and nothing of value was lost

About time... (4, Insightful)

Guspaz (556486) | more than 2 years ago | (#40544241)

They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?

Re:About time... (1)

Anonymous Coward | more than 2 years ago | (#40544315)

No, they should have not resolved any addresses except for those that started with "www." Those address should have pointed to a warning page when accessed by html. That way people would have been warned earlier. That is basically how they allow the detection, i.e. infected machines access one address and uninfected detect others. There isn't really a reason that they can't do it for all html pages. I mean, just cutting them off would break programs that access html anyway.

Re:About time... (1)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#40544519)

I agree completely. Shut them down. Most people will not even notice that there is a problem until their computer stops working.
The users will call their ISP, and they will figure out very quickly what the problem and pass them off to someone to fix it.
Perhaps one or two people might figure out that computers requite maintenance, just like a car does, and that maybe paying for such maintenance is a good idea.

But I doubt it.

Re:About time... (1)

Hentes (2461350) | more than 2 years ago | (#40544575)

They could notify them before shutting it down, for example.

Re:About time... (5, Interesting)

aix tom (902140) | more than 2 years ago | (#40545131)

Of course the problem is THAT would open up a whole other can of worms.

Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.

Just shutting it down after informing the ISPs that a probably flood of support calls will hit would have been my preferred option.

Re:About time... (3, Funny)

Hentes (2461350) | more than 2 years ago | (#40545205)

They can sign the message with the FBI key so users can ensure its validity.

Re:About time... (3, Insightful)

dark12222000 (1076451) | more than 2 years ago | (#40545271)

Of course, because the sorts of people who run infected machines constantly are well aware of things like signing keys.

Re:About time... (1)

Hentes (2461350) | more than 2 years ago | (#40545637)

The machines infected can just as well be on a neglected company network. But even if they don't believe the popup the first time, if it pops up before every page they visit most people will realize that the chances of a malicious popup writer owning the whole internet are small.

Re:About time... (1)

PopeRatzo (965947) | more than 2 years ago | (#40545473)

Of course the problem is THAT would open up a whole other can of worms.

Millions of people getting some sort of page or pop-up telling them "Warning, your computer is infected, please immediately ... yadda yadda yadda", and then learning through support and/or the news that such warnings that pop up randomly can actually be true. When in reality there is a high chance they even originally GOT their machines infected by cluelessly believing such a warning that an infected page popped up.

There are probably a handful of sites - Google, MSN, Facebook, etc - that practically all of those people will access. Why not ask those companies to post some information about how to check if you're infected and/or how to fix the infection? It seems like this thing could be fixed pretty easily if you had the biggest sites on the Internet on board.

People don't trust an email from "teh FBI" but they sure as hell trust what comes up on the Google or Facebook home page.

Or is it unthinkable to ask the biggest players on the Internet to be good net citizens and help out a little bit for the good of everybody?

Re:About time... (2)

Tim the Gecko (745081) | more than 2 years ago | (#40546951)

There are probably a handful of sites - Google, MSN, Facebook, etc - that practically all of those people will access. Why not ask those companies to post some information about how to check if you're infected and/or how to fix the infection? It seems like this thing could be fixed pretty easily if you had the biggest sites on the Internet on board.

People don't trust an email from "teh FBI" but they sure as hell trust what comes up on the Google or Facebook home page.

Or is it unthinkable to ask the biggest players on the Internet to be good net citizens and help out a little bit for the good of everybody?

You mean they should do something like what Google and Facebook [theregister.co.uk] are doing?

Re:About time... (1)

sjames (1099) | more than 2 years ago | (#40548721)

Done, and then the date was pushed back and everyone warned again. The 300K remaining are apparently invulnerable to the armor piercing clue.

I agree that maintaining the redirected DNS for a time and issuing a warning was appropriate, it's just that time is months beyond up now.

Re:About time... (1)

Billly Gates (198444) | more than 2 years ago | (#40545015)

The FBI could be liable. Especially if corporate or government computers became infected and no anti virus package had the definitions for it at the time assuming it started as a 0 day exploit,

Re:About time... (1)

morari (1080535) | more than 2 years ago | (#40545109)

They should have, but then the FBI would not have had unobstructed access to all information flowing through their new DNS servers...

Re:About time... (1)

shoehornjob (1632387) | more than 2 years ago | (#40545439)

They never will learn. Well maybe some of them will but most of them just want their computer to run and nothing more. IMHO you can't change the older ones that are in the system because they don't want to learn anything. It's very much like the Matrix (IMHO) but it's true.

Re:About time... (1)

Gideon Wells (1412675) | more than 2 years ago | (#40546343)

Well, isn't there a way to trick/force all these computers who are affected to go to a website stating: "Yo, you've be hacked and infected. We have taken down the websites, but you are still infected. Do this to get fixed."

Re:About time... (1)

slashmydots (2189826) | more than 2 years ago | (#40547871)

They should have cut them off immediately, when there were 4 million PCs connecting to them. How are people supposed to learn?

By them instead routing 100% of their internet pages to a site telling them they have a virus and how to undo the rogue settings. Then again a malicious browser hijacker telling you to do something shouldn't be trusted but obviously these people are pretty stupid to begin with so it would sort of work.

why no redirection to a warning page? (0)

Anonymous Coward | more than 2 years ago | (#40544243)

Well then, why didn't they redirect every single victim to a "CIA! you're infected. fuckin clean up your PC" page for at least 4 weeks?

Agree (2)

JcMorin (930466) | more than 2 years ago | (#40544275)

They should be redirected for all their query to a page telling them they are infected and they will be cut off...

Re:Agree (5, Interesting)

Darkness404 (1287218) | more than 2 years ago | (#40544297)

Yeah, because that will teach them the right message. There are thousands of viruses out there that say "YOU'VE BEEN INFECTED WITH 2312312434 VIRUSES, PURCHASE TOTALLY LEGIT REGISTRY-SCANNER TO FIX" adding a legitimate message only confuses users.

In fact, if I recall correctly, the major variants of DNS changer pop up windows saying you need to install X malware that pretends to fix problems.

Re:Agree (0)

Anonymous Coward | more than 2 years ago | (#40544327)

It could just be a message as simple as "Call your internet service provider"

Re:Agree (3, Insightful)

Darkness404 (1287218) | more than 2 years ago | (#40544395)

Sure, but how many ISPs really have the resources to fix this problem? After all, an ISP deals with the network side of things, not fixing viruses. If the ISP's DNS server is down, you call your ISP. If the ISP cut a fiber optic cable and your internet is down, you call your ISP. If your HDD is broken, you don't call your ISP. If you get a virus, you don't call your ISP. Etc.

Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...

Re:Agree (1)

Billly Gates (198444) | more than 2 years ago | (#40544957)

Sure, but how many ISPs really have the resources to fix this problem? After all, an ISP deals with the network side of things, not fixing viruses. If the ISP's DNS server is down, you call your ISP. If the ISP cut a fiber optic cable and your internet is down, you call your ISP. If your HDD is broken, you don't call your ISP. If you get a virus, you don't call your ISP. Etc.

Sadly, aside from a few local places, most of the "big chain" tech support people are extortionists and by the time "Geek Squad" is done "fixing" your computer, you could already upgrade to a newer machine (which is what they want) where the salesmen will use lies and manipulations. Of course, Geek Squad and Best Buy's salesmen are good for the humor value, I asked one of them what the clock speed of one computer was and he said "Eastern standard time of course"...

The problem is once your machine becomes infected it uses a plugnplay exploit to reset your routers DNS settings. So it is now the ISPs problem as even if you clean or even buy a new pc you will be cut off and Joe Sixpack doesn't know what a DNS is. All he knows is his internets stop working and since he got a new computer it is therefore the ISPs fault.

Re:Agree (0)

Anonymous Coward | more than 2 years ago | (#40545939)

AM I wrong or aren't the ISPs charging for support? They have to deliver and can't... oh wait. This is typical corporate behaviour.

Re:Agree (1)

ubrgeek (679399) | more than 2 years ago | (#40544655)

Right, and the message will continue, Please call 011 + 234 + 70 + ...

Re:Agree (1)

nurb432 (527695) | more than 2 years ago | (#40545671)

"you have been infected, please call your service provider for assistance"

Re:why no redirection to a warning page? (0)

Anonymous Coward | more than 2 years ago | (#40544433)

If I saw this I would immediately think it's a fake antivirus scam.

Re:why no redirection to a warning page? (2)

hawkinspeter (831501) | more than 2 years ago | (#40548787)

But if it affected every page you tried to visit, you'd eventually want to get your computer fixed, wouldn't you?

Re:why no redirection to a warning page? (1)

Manfre (631065) | more than 2 years ago | (#40544849)

Most users are stupid and will click okay to anything. They should have redirected to a page with an applet, activex, or some other bit of code that the user will blindly click okay to run that will change their DNS settings to OpenDNS or google's public DNS servers.

Re:why no redirection to a warning page? (0)

Anonymous Coward | more than 2 years ago | (#40544949)

and ten minutes later they would be infected with the next batch of malware.
as with thipoid mary their infection is damaging others, not just themselves so they need to be forced to fix the problem, not just ignore it.

might be to obvious (0)

Anonymous Coward | more than 2 years ago | (#40544255)

Use the dns server to redirect any url to one page informing the user on how to remove the infection/get help?

Instead of having their internet connection just stop working, they will run to their isp's who did nothing wrong ...

Re:might be to obvious (1)

SQLGuru (980662) | more than 2 years ago | (#40544269)

This. Also, there will be quite a few legit issues masked by this problem and tech support will just tell them "fix your DNS -click-" when in reality the issue could be on the ISPs end.

The right thing to do... (0)

Anonymous Coward | more than 2 years ago | (#40544285)

I know that lying on DNS is bad but I think the best thing to do here would be to send all the victims to a website telling them how to fix their machines.

Re:The right thing to do... (1)

gmuslera (3436) | more than 2 years ago | (#40544377)

Looks like the usual target vector of infection. If you tell them to trust that kind of things, they will keep getting infected with malware (in fact, more people will fall into that, now malware writers will know how looks a page that is announced by the government as safe and that must be trusted)

Re:The right thing to do... (4, Funny)

Qzukk (229616) | more than 2 years ago | (#40544557)

If you tell them to trust that kind of things

Clearly, then, they should redirect everyone to MyCleanPC ;)

Yes, it should shut them down (5, Insightful)

Todd Knarr (15451) | more than 2 years ago | (#40544295)

It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem. If they haven't done anything before this, they won't do anything about it until their Internet stops working and they have no choice. So stop with the hand-wringing, shut 'em down and let those people suffer the consequences of their own willful stupidity. It's the only way they'll learn.

Re:Yes, it should shut them down (2)

YrWrstNtmr (564987) | more than 2 years ago | (#40544351)

It's not like this is coming out of the blue. Every one of the owners of those machines has had at least 6 months' warning of the problem.

6 months warning? Where? I guarantee, if I were to go into work on Monday and say "hey, have you heard about that whole DNSChanger thing?"...2, maybe 3, out of 75 would say yes. And those because they read it here.

Re:Yes, it should shut them down (4, Insightful)

Todd Knarr (15451) | more than 2 years ago | (#40544563)

http://www.dcwg.org/ [dcwg.org]
It's been in every antivirus program update since January. It's been covered on every PC-related Web site out there. Facebook has been warning anyone who visits while infected about the problem since early June. It's been the Malicious Software Removal Tool Microsoft sends monthly through Windows Update for months now. The only people who don't know about the problem are the ones who've been willfully refusing to look at anything related to the security of their computers. Well, you can't safely do that. That's been, or should have been, common knowledge for the last 20 years.

Re:Yes, it should shut them down (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40544869)

Ah, but grandma-joesixpack has been on the internet with Windows for years. She's been burned. She now ignores ALL sorts of warnings because she figures they're more of those damn malware clicks and emails that she sees all the time and must never click.

Are they warning people on the paper bill from the ISP? That's the only thing that's going to do it. On the same page with the payment information -- because there's always advertising shit included that she knows to toss straight to the bin. Worded like "WE ARE GOING TO CUT YOU OFF BECAUSE YOUR COMPUTER IS MALFUNCTIONING. CALL US FOR HELP GETTING IT FIXED."

Note, it must not say only "CALL US", because that might sound like they simply want to rag on her, not help. Even the "HELP" bit is tenuous, because this could just be some fix-it scam. Grandma is pretty practiced at dealing with outfits trying to sell her more than she wants. Vinyl siding on down.

Less than that isn't going to work. Especially against the noise of the rest of her life. She gotten through her decades by ignoring quite a bit. Lot of people do.

And yup, a lot of people don't do paper bills anymore anyway so that's got limited use too. But the point is to illustrate just how the heck people ignore this stuff, and why it actually is really hard it is to get SIGNAL through all the NOISE they've learned to block out. It's not just facepalm-How-Can-They-Be-So-Stupid?!. It's a system and you've got to use the right ports to connect.

Re:Yes, it should shut them down (2)

Todd Knarr (15451) | more than 2 years ago | (#40545039)

If grandma-joesixpack is that computer-illiterate, she shouldn't have to be watching out. She should be letting someone more computer-literate set her computer up, including antivirus and automatic updates and all, and when the AV program and Microsoft's MSRT started alerting she should've called said computer-literate helper to fix things.

And why would we assume she's computer-illiterate? My mother knows enough to call for the tech when things get weird, and she's 70 and just got her first computer. My generation is pushing 50, and we grew up with computers around. Which means my parents' generation had to deal with kids bringing homework from their computer classes home. We're past the point where "they don't know about computers" is a legitimate excuse. If by now you don't know at least a bit about computers and haven't built up a list of people you trust to help you with them and give you advice on them, you're beyond help.

Re:Yes, it should shut them down (0)

Anonymous Coward | more than 2 years ago | (#40548255)

Are they warning people on the paper bill from the ISP?

"paper"...I don't think I've subscribed to an ISP in the past decade that could even generate a paper bill.

Re:Yes, it should shut them down (1)

sjames (1099) | more than 2 years ago | (#40548747)

If she has that little idea about it, she's not going to take action until "the internet is broken". Kill the redirected DNS so she will truly understand that something's wrong and will contact someone who can fix it for her.

Re:Yes, it should shut them down (1)

Billly Gates (198444) | more than 2 years ago | (#40545045)

This trojan uses pnp exploit to reset the routers firmware to use the hacked DNS settings.

No amount of AV software nor a new computer hooked into the network can escape this. Logging into the router is out of depth of average users knowledge and expertise and my guess is this and inept corporate IT departments who use unpatched Windows (almost all of them) are the majority of those that are left. So I do not blame these users.

They will have to call their ISP on instructions on how to reset their DNS settings or buy a new wifi router. It will suck to be helpdesk tomorrow on any ISP that is for sure.

Re:Yes, it should shut them down (1)

Richard_at_work (517087) | more than 2 years ago | (#40544355)

Fuck that, yes they should turn off the DNS servers, and there is only one valid reason why they should - the FBI has no duty of care to *any* of these people to keep their Internet running. Turn the servers off, let the Internet break for these people, let them learn the lesson they should be learning.

Re:Yes, it should shut them down (0)

Anonymous Coward | more than 2 years ago | (#40545087)

The proper thing to do is to re-route those IP addresses to one of the free open DNS sites, or to forward every web request to a web page with software removal instructions.

Re:Yes, it should shut them down (1)

Gaygirlie (1657131) | more than 2 years ago | (#40548455)

I disagree. The proper thing to do IMHO is to cut them off so their owners will have the machines checked and any malware and viruses removed. Who knows how many other such they have on their machines already and who knows how many of those owners have lost their credit cards due to that? Besides, there computers are also likely a part of some botnet by now and again for that reason it is a good thing to have them cleaned up.

Re:Yes, it should shut them down (0)

Anonymous Coward | more than 2 years ago | (#40545569)

Not that these servers shouldn't be shut down, but there are plenty of people who won't have a clue how to fix the problem on the user end.

Hopefully their ISP will inform then about the necessary fix through some means other than the kinder, friendly Indian in Bangalore.

On the other hand, I'd rather be helped by someone feigning concern than most of the Slashdotters who comment in these 'discussions'.

Re:Yes, it should shut them down (1)

dead_user (1989356) | more than 2 years ago | (#40545997)

Why can't the ISP's intercept all dns request packets to the infected servers and redirect the requests to their own dns server that has been programmed to send all requests save a few exceptions to a web page with explicit instructions and hard coded access to the websites necessary for removal of the virus and ONLY these websites. People can follow rudimentary instructions if they have to. If they can't figure it out or are totally suspicious, they call the isp who tells them either how to fix it if it's easy, Call Geek Squad or someone in your family if it's not, or "it's legit" if they are simply suspicious. Attention to these PC has to be paid at some point. May as well be now.

Re:Yes, it should shut them down (2)

Gaygirlie (1657131) | more than 2 years ago | (#40548465)

Why can't the ISP's intercept all dns request packets to the infected servers and redirect the requests to their own dns server that has been programmed to send all requests save a few exceptions to a web page with explicit instructions and hard coded access to the websites necessary for removal of the virus and ONLY these websites. People can follow rudimentary instructions if they have to.

Because these computers likely have a bunch of other malware and viruses on them already and thus it's best to just have some geek to do a proper clean-up. It's the best option for all involved.

Re:Yes, it should shut them down (0)

Anonymous Coward | more than 2 years ago | (#40546405)

When you go online you opt to expose yourself to a certain amount of risk. If you're too lazy to get educated about how to deal with it, why should I feel any sort of sympathy? It's a bit like sleeping around without protection, do it long enough and you will get some sort of nasty infection, I don't see why I should have any particular sympathy for somebody that makes those sorts of bad decisions.

Of course they shouldn't be tossed to the wolves, but a bit of perspective here, there are classes that people can take, books that people can read and if you know where to look they're often times free.

Why not set up interstitial pages? (2)

tlhIngan (30335) | more than 2 years ago | (#40544307)

Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected and how to clean it.

They have to click again in order to get through. Set the TTL of the DNS caching to nil so it happens practically every link - simply bombard them through annoyance?

Oh, and sure it'll break stuff like e-mail and all sorts of other non-HTTP protocols, which is good because they'll hopefully call tech support or something.

Re:Why not set up interstitial pages? (2)

bolt_the_dhampir (1545719) | more than 2 years ago | (#40544419)

So how do you make a "You're infected with X" page people actually trust?

Re:Why not set up interstitial pages? (2)

bjb_admin (1204494) | more than 2 years ago | (#40544459)

It would probably be better to redirect them to Rick Roll (No I will not put the URL here).

Re:Why not set up interstitial pages? (1)

John Bokma (834313) | more than 2 years ago | (#40544539)

At least it will open their eyes. Now everything (as far as I know) just works. Of course you can redirect them to a page that they should trust, on a https server with a domain that can be trusted, etc.

Re:Why not set up interstitial pages? (1)

sjames (1099) | more than 2 years ago | (#40548749)

It will train them to believe that "checking your computer for viruses" scam ad the next time they see it.

Re:Why not set up interstitial pages? (0)

Anonymous Coward | more than 2 years ago | (#40544729)

Yeah, this is a terrible idea. I've been telling people for years that if some random message pops up saying you're infected that you don't recognize, it's probably a scam. Now we're going to legitimize all of those scam websites by doing something like this for real?

Re:Why not set up interstitial pages? (2)

bill_mcgonigle (4333) | more than 2 years ago | (#40545153)

So how do you make a "You're infected with X" page people actually trust?

Don't offer to sell them anything and point this out.

Tell them to contact their local computer support folks but don't make specific recommendations.

Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.

Re:Why not set up interstitial pages? (2)

WaffleMonster (969671) | more than 2 years ago | (#40549005)

Don't offer to sell them anything and point this out.

Tell them to contact their local computer support folks but don't make specific recommendations.

Give them a link to a page on the FBI's website and give them an 800-number to call. Give them an extension that they can dial from the FBI's main switchboard as well.

When something like this happens most peoples machines who had been compromised were compromised as a result of a user taking an action most of us would sigh and laugh at.

They did not have the awareness to keep from being suckered or con'd or whatever so what makes you think they will have the awareness to parse the difference between the FBI doing it and a real attacker?

It simply does not work to try and push the official message thing it only makes things worse because now the phishers are able to leverage FBI policy to maximum effect.

Besides if your machine is owned going to the FBI web site to check validity is a non-starter.

The 1-800 number is still a reference an attacker may control. They may even decide to sucker a few people into calling the "FBI switchboard" in order to rack up service charges on their phone bill.

If you want to do something like this the verification protocol needs to be out of band and well known to the public. Most importantly it needs to be in place before it is ever needed.

Personally I think a central method of verifying government actors and actions as legitimate in the sense it was not something made up by an imposter would have a lot of value outside this specific issue.

Re:Why not set up interstitial pages? (0)

Anonymous Coward | more than 2 years ago | (#40547811)

Who gives a flying fuck if they trust it? If it is the only page their computer can reach no matter what they try then they're going to have to have someone look at their computer. Preferably someone less stupid than they are who will know what's wrong and fix it. If it is someone as stupid as they are then they'll just wind up looking at the page again. Then they can call their ISP who will hopefully know what's going on and tell them to get the goddamn thing fixed. Or maybe they'll just go out and buy a new computer.

Re:Why not set up interstitial pages? (1)

Z00L00K (682162) | more than 2 years ago | (#40548051)

Those infected are more likely to trust whatever passes their eyes so it will probably work.

Re:Why not set up interstitial pages? (3, Informative)

John Bokma (834313) | more than 2 years ago | (#40544555)

DNS servers don't return pages. What you probably mean is to return the same IP address for each and every DNS request, an IP address that hosts a web server that tells people that their computer has been infected. Might be possible to do the same for other protocols, e.g. POP3 will return daily a new email that their computer has been infected, etc.

Re:Why not set up interstitial pages? (3, Interesting)

vlm (69642) | more than 2 years ago | (#40544739)

Why not do what every ISP is doing - for every DNS request hitting the server, send them to a page that tells them their PC is infected

The list of hijacked DNS servers is well known in the biz, so I've heard at least some ISPs have been null routing the DNS server addresses as call queues and customer service staffing permits. Perhaps every day one pop or one CMTS or whatever it is DSL headend gear is called, or one entire city, gets null routes for those specific hijacked DNS /32s.

It ends up being about the same result in the end, except that you can control your call volume in a extremely fine grained manner, or at least more fine grained than the fake DNS server solution.

Obviously you lose your fine-grained gradual deployment if you redistribute those /32 routes into your site wide BGP route reflector. I wonder how many jokers have leaked those /32s onto the internet by trying to do this.

The guys who know what they're doing are all done now... The folks who haven't started are going to epic fail no matter what you do, so the FBI may as well just yank those AC cords and be done with it.

Re:Why not set up interstitial pages? (2)

Nimey (114278) | more than 2 years ago | (#40544939)

Redirect all their queries to a page with Goatse and an admonishment to clean their computers.

Re:Why not set up interstitial pages? (1)

fluffy99 (870997) | more than 2 years ago | (#40545103)

Something like this would be possible. Don't redirect everything, just a few key sites like facebook and google. Google and facebook would need to have certain IPs setup to direct you to a warning page. Probably complicated though, given the layers of DNS lookups you go through and Akamai providing the back end, etc.

Also, the ISP can easily determine which clients are infected and send them an email. I would think doing so would be in their best interest to avoid the calls to their helpdesk when things break.

Are they stupid??? why not redirect? (1)

Anonymous Coward | more than 2 years ago | (#40544329)

Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz

-Thorne

Re:Are they stupid??? why not redirect? (1)

PPH (736903) | more than 2 years ago | (#40544375)

They could have sold advertising space on that page to Microsoft. Or Apple. "Fix that PC now! Upgrade to ...."

The FBI would have been fully funded for the next decade.

Re:Are they stupid??? why not redirect? (0)

Anonymous Coward | more than 2 years ago | (#40544531)

"Facebook still works, dontcare".

Re:Are they stupid??? why not redirect? (1)

Jiro (131519) | more than 2 years ago | (#40544627)

We don't want to teach users that if they open a webpage which claims the computer is compromised and tells them what to do, that they should obey. That's how a lot of malware gets installed in the first place.

Re:Are they stupid??? why not redirect? (0)

Anonymous Coward | more than 2 years ago | (#40545435)

Maybe that website could have a link to a $40 anti-virus that does absolutely nothing too just to complete the experience.

Re:Are they stupid??? why not redirect? (1)

WaffleMonster (969671) | more than 2 years ago | (#40548913)

Send all the hosts to a website saying hey guess what you've been compromised. blah blah blah to fix. We used to do this to customers back in the old dialup dayz

This is every phishers in the world wet dream.

Sooner the Better (1)

BoRegardless (721219) | more than 2 years ago | (#40544391)

When citizens start learning that they can't expect the DNS system to just allow them to continue to be a part of a BOT because they don't care because they are thrown off the Internet, the sooner they will learn to take responsibility for their own equipment one way or another.

Minor question. . . . (-1, Troll)

Salgak1 (20136) | more than 2 years ago | (#40544425)

. . .exactly what gave the FBI the authority to change network settings on privately-owned computers in the first place ? Yes, the boxes are infected. But that's NOT the FBI's job to solve. In fact, it's not the Government's job to solve, except on its' own computers. . . . So. . . where ARE they getting the authority to do this from ? Or is this another, "Trust Us, we're the Government and here to help" situation. While it's benign here, the precedent is MORE than a little troubling. . .

Re:Minor question. . . . (5, Informative)

Todd Knarr (15451) | more than 2 years ago | (#40544493)

The FBI didn't change any settings. The malware did that, it alters the infected computer's DNS settings to use a set of servers run by the malware authors. What the FBI did was take over those servers and replace the malicious software running on them with software that does normal DNS so infected computers were no longer being redirected to the malware author's sites. And now the FBI's looking at shutting down the servers entirely, which would leave the infected computers with no DNS servers at all.

Re:Minor question. . . . (1)

SuricouRaven (1897204) | more than 2 years ago | (#40544509)

They didn't. The DNSChanger trogan, as the name implies, changed the DNS server configuration. The FBI was able to sieze control of those IP addresses and set up their own DNS servers there to mitigate the damage.

Re:Minor question. . . . (-1, Troll)

Salgak1 (20136) | more than 2 years ago | (#40544891)

And again, exactly WHERE did the authority to seize IT assets, especially those outside the USA, and run them ? Should they have not been returned to the control of the rightful owners, who would remediate ???

Re:Minor question. . . . (1)

Todd Knarr (15451) | more than 2 years ago | (#40544915)

The "rightful owners" were the malware authors who were infecting PCs and running the botnet. The FBI got the authority when they charged those authors and got a warrant to seize the servers.

Did they redirect all DNS to a help page? (0)

Anonymous Coward | more than 2 years ago | (#40544427)

If they have been helped through fixing their computer and they haven't bothered? F&^% them. Their loss.
There is only so much F&^%s you can give before you say "enough is enough".

YES! Turn them Off (1)

krelvin (771644) | more than 2 years ago | (#40544477)

About Time.... Then the people will know they have a problem.. right now, they think everything is fine.

More to the story? (5, Interesting)

dualboot (125004) | more than 2 years ago | (#40544485)

I wonder if the real reason they kept this on life support for so long was to enjoy 6+ months of DNS queries for 4mil-300 thousand users?

Seems like an excellent opportunity to gather a large amount of intelligence without any messy subpoenas or warrants.

Re:More to the story? (1)

John Hasler (414242) | more than 2 years ago | (#40544713)

What is it that you imagine they could learn that way?

Re:More to the story? (1)

dualboot (125004) | more than 2 years ago | (#40544775)

What can you learn by resolving every single dns query from someone using an internet connected machine?

Quite a bit.

Imagine the scary amount of information Google knows about people who use their service. Especially combined with the fact that almost every site out there now uses Google Analytics and/or Google Advertisements.

I realize it sounds very tin foil but intercepting all DNS queries can give you a pretty good fingerprint of a user.

Re:More to the story? (0)

Anonymous Coward | more than 2 years ago | (#40544889)

What can you learn by resolving every single dns query from someone using an internet connected machine? ...

I realize it sounds very tin foil but intercepting all DNS queries can give you a pretty good fingerprint of a user.

The government already has that. Remember when the US government retroactively exempted AT&T from wiretapping laws?

http://en.wikipedia.org/wiki/Hepting_v._AT%26T [wikipedia.org]

If you run a botnet... (1)

SydShamino (547793) | more than 2 years ago | (#40544603)

If you run a botnet, better check any of your zombies for this and fix them quickly. Otherwise they might get attention from a PC tech who'll remove your code as well.

(Isn't this the likely result from delays?)

Cleaning infected computers may not be enough/ (4, Informative)

nuckfuts (690967) | more than 2 years ago | (#40544651)

The DNSChanger malware can change DHCP server settings on some routers [fbi.gov] . If your home router has been tampered with, it may continue to provide rogue DNS settings even after your PC has been cleaned or reinstalled.

Pull the Plug; Go Catch Crooks (5, Insightful)

reallocate (142797) | more than 2 years ago | (#40544803)

For months, the FBI has been, essentially, providing DNS service for lots of people who didn't even know their machine had been compromised. This is the FBI, remember. If the FBI announced it was going to muck around with the DNS of millions of people, the Usual Suspects here would be ranting about the Evil Of It All.

Most of those 300,000 remaining victims will likely never fix anything. They're only been on the internet for these last several months thanks to the FBI, and they don't even know it.

Pull the plug and go catch some crooks.

Re:Pull the Plug; Go Catch Crooks (0)

Anonymous Coward | more than 2 years ago | (#40545055)

Yeah, and the FBI wasn't monitoring where they were going either, were they? They got all of the actionable intelligence they could so now it's a diminishing return for the feds.

Re:Pull the Plug; Go Catch Crooks (1)

reallocate (142797) | more than 2 years ago | (#40545135)

Don't be silly. Random DNS records? Sure.

Mostly corporate PCs left (1)

Billly Gates (198444) | more than 2 years ago | (#40544985)

My guess is all the corporate phbs bigwigs who love to still use XP/IE 6 with no updates because it is cheaper to have IT just put out fires to help boast the share price are the ones in for a surprise.

With Symantec endpoint I am sure it would be detected ... yeah right

Re:Mostly corporate PCs left (0)

Anonymous Coward | more than 2 years ago | (#40545077)

Name them and shame them. That's the fastest way to clean up this mess.

Where is the fix (1)

aggles (775392) | more than 2 years ago | (#40545239)

Seems that a clear posting that describes how to fix the problem would be the most useful to the most people.

150,000 barely used computers on ebay and ... (0)

Anonymous Coward | more than 2 years ago | (#40545515)

craigslist. I can't wait. You know half of those folks will just go out and buy a new computer, because this whole "virus thing" is too confusing.

Responsibility (0)

Anonymous Coward | more than 2 years ago | (#40545807)

You have to take personal responsibility for certain things, like driving a car. The government can't babysit you all the time. Your PC is another example.

8.8.8.8 (1)

m1ndcrash (2158084) | more than 2 years ago | (#40546605)

that's all

YES (1)

smash (1351) | more than 2 years ago | (#40546859)

If these machines are attempting infect others, sending spam, and doing all the other malicious botnet type activity they no doubt are being used for, or could be used for then cut them off.

Leaving them working, but infected because the user is too ignorant to fix the problem (which has been present for well over a year now) is a liability.

It matters for the underserved internet community (2, Informative)

kriston (7886) | more than 2 years ago | (#40547801)

It really does matter for the underserved internet community who rely on affordable and sometimes outdated DSL modems for their access to the internet in rural areas. Many of these DSL modems have been infected by a scary variant of the DNSChanger Zlob trojan that actually changes the DSL modem's DNS settings and changes the DSL modem's password to an unguessable value. The most detrimental effect of this infection is a virtually irreversible firmware change in an unknown but probably high number of DSL modems worldwide which are permanently affixed to the rogue DNS servers, now siezed and run by the FBI as clean, boring caching DNS servers. They will be shut down July 9 because the FBI doesn't want to be an ISP, which has the effect of cutting off an unknown number of people from the internet.

It's not a small problem. It's a big problem. The cost of help desk calls alone will be devastating to the disadvantaged and underserved internet community, i.e., rural America, who may be using the affected DSL modems infected by this Zlob trojan variant.

The most important note you must realize about this problem is that DNSChanger actually changed the DNS servers on the DSL modem. Just in case you don't realize this: the DSL modem provides the DNS server info to the computer in the home. While the computer may no longer be infected, the DSL modem is configured to use the DNSChanger rogue DNS servers which the FBI siezed and will shut down on July 9.

It's a really big deal and we should treat it like that.

You can check more out here: http://www.dns-ok.us/ [dns-ok.us]

This is America (1)

dadioflex (854298) | more than 2 years ago | (#40548587)

Don't cut them off - do like the hotels do and take them to a splash screen asking for their credit card numbers so they can pay if they want to continue to use the internet on a service that is costing money to run and which they can't connect to normally because of their own wilful ignorance on security.

Security by ignorance (1)

WaffleMonster (969671) | more than 2 years ago | (#40548899)

Rather than people infected with shit knowing there is a problem and getting help before they get even more owned the FBI activly acted to cover up the problem by continuing to run the DNS service leaving users to remain clueless.

God knows I hate lawsuits yet on some level it would be awesome if someone filed one against the FBI anyway even if it had no chance of succeeding. It just might make them think twice before they decide to repeat this stunt.

They should wipe the disc and install a managed OS (0)

Anonymous Coward | more than 2 years ago | (#40549435)

Those people are just not capable of adminstering a computer device. They should simply be provided with a remote-managed OS so they can't accidentally help those spammers again!

Uh, and *don't* ask, just do it! They wont notice any difference in xbox / windows 98 / windows 3.11 anyway, just make the gnome desktop flickering colored ;)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>