February 2, 2012

More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the  criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.

Source: FBI

The malware, known as the “DNSChanger Trojan,” quietly alters the host computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections. DNSChanger frequently was bundled with other types of malware, meaning that systems infected with the Trojan often also host other, more nefarious digital parasites.

In early November, authorities in Estonia arrested six men suspected of using the Trojan to control more than four million computers in over 100 countries — including an estimated 500,000 in the United States. Investigators timed the arrests with a coordinated attack on the malware’s infrastructure. The two-pronged attack was intended to prevent miscreants from continuing to control the network of hacked PCs, and to give Internet service providers an opportunity to alert customers with infected machines.

But that cleanup process has been slow-going, according to at least one security firm. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities.

“Yes, there are challenges with removing this malware, but you would think people would want to get this cleaned up,” said Rod Rasmussen, president and chief technology officer at Internet Identity. “This malware was sometimes bundled with other stuff, but it also turns off antivirus software on the infected machines and blocks them from getting security updates from Microsoft.”

Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Rasmussen said there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”

Tom Grasso Jr., an FBI supervisory agent at the National Cyber Forensics & Training Alliance in Pittsburgh, Pa., said the DNSChanger Working Group — the industry and law enforcement coalition that’s handling the remediation — has been discussing what to do about the upcoming deadline, but he declined to offer specifics.

“We’re certainly exploring all different options to minimize whatever impact there’s going to be on a lot of people,” Grasso said.

Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years.  At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker.

Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem.

“I’m guessing a lot more people would care at that point,” Rasmussen said. “It certainly would be an interesting social experiment if these systems just got cut off.”

Individuals in charge of a large network can learn if any systems are infected with DNSChanger by sending a request to one of the members of the DNS Changer Working Group. Home users can avail themselves of step-by-step instructions at this link to learn of possible DNSChanger infections.

Where do you come down on the decision to extend the Mar. 8 deadline? Register your vote in the poll below. Feel free to sound off in the comments.

[poll id=”5“]


93 thoughts on “Half of Fortune 500s, US Govt. Still Infected with DNSChanger Trojan

  1. Gregory Pendergast

    I wonder if replacing the malicious DNS infrastructure didn’t inadvertently contribute to slowing the clean-up rate. After all, users who can no longer browse the web at least tend to call the help desk. It might have led to more systems getting fixed sooner. (Of course, not replacing the malicious DNS infrastructure probably presented its own set of bad consequences.)

    1. BrianKrebs Post author

      Thanks for your comment, Greg. Did you vote yet? I think I know which option you’d choose, though 🙂

      1. Gregory Pendergast

        Just voted. Thanks for the reminder. Based on my current knowledge, I’d say no, don’t extend it. But there’s the caveat that I don’t know what unintended consequences that may have, and for whom. 😉

  2. Mike

    These people need an education anyway. No updates for months and months and it not seeming strange.

    They remind me of a close friend of mine who is exceedingly knowledgeable at photography and construction, yet he finds computers just mystifying. They probably think they did something wrong (not connected with the malicious email) and they are afraid to admit it.

    Extreme Intervention – Computer Style, the TV show, I can see it in the future. Want to host it, Brian???

    1. Gregory Pendergast

      It’s not surprising, though, that individual users may not know they’re infected. It’s the numerous businesses and government agencies that are more disturbing. For what ever reasons, the internal security operations haven’t detected and fixed this?

      Of course, that frequently has more to do with the business leaders not taking security seriously than it does with the abilities of the security staff (if they have security staff).

      1. LonerVamp

        Agree! The business infections are the more interesting ones, to me.

        There are so many reasons for issues though, not the least of which is how many endpoints Fortune 500s all have.

        Going over those reasons (good and bad ones) is enough for a small essay or blog post in itself, from lack of staff to lack of monitoring to a higher priority on not inconveniencing users to BYOC programs to….

    2. BrianKrebs Post author

      Hah! Like “Intervention” but confronting friends and family members on disaster PCs? Love. It! Yes, sign me up!

    3. KFritz

      If your friend is knowledgeable on photography but not computers, how the deuce is he managing the transition to digital photography?

    4. pboss

      Well, if they’re like my company, you don’t get MS updates anyway via Windows update anyway. The company pushes out the updates manually after testing.

      1. TEA-Time

        Unless some third party tool is used, the same Windows Update mechanism is used no matter whether it comes from M$ or a local server in your company. When that mechanism is disabled, no updates will happen.

        1. Skaperen

          That would not be hard to disable. Just substitute a different IP address for whatever Microsoft domain is involved (I have no idea, since I have a Penguin Inside).

          1. TEA-Time

            @Skaperen,

            Yup, just a registry entry pointing at whichever Windows Update server is to be used.

            I’ve also seen the Automatic Updates service completely missing on one infected XP box. After hacking the appropriate entries back into the registry and rebooting, there was a ton of updates waiting to be installed.

  3. Dan Morenus

    I’d say give the users more time but it would be nice if there were some way to notify affected users. What if for one minute each hour every DNS request was resolved to a site that informed the user that their machine was compromised and provided advice on how to resolve it? Of course lots of DNS requests might be for non-browsing purposes but I suspect most are and it would be a non-debilitating and very hard to ignore notification. Whether a particular user thought the notice was real or a scam they’d know they’d been hacked.

    1. qka

      One minute/per hour may be too small a window. How about 5 or 10 minutes/hour? Part of the “education thru pain” initiative.

      1. Dan Morenus

        Fine with me. For that matter, two minutes every ten minutes or one minute every five minutes. The main thing is to get information out there but not totally incapacitate the machine. Once the user knows they have a problem, web searches are likely to be a first step in trying to solve it so best not to interfere with them too much. A lot of people just view their computer as a box with a browser and a DVD drive so it’s probably most effective to try to communicate on that level. Xristofer mentioned being able to click through to the original URL and that sounds like a really good idea as well.

    2. Mark

      The wifi in my building makes you sign in and acknowledge that you have no expectation of privacy every 15 minutes. When you use your personal device. I magic the login page away with Tasker, for everyone else it’s just an annoying part of the landscape.

    3. Michael

      “What if for one minute each hour every DNS request was resolved to a site that informed the user that their machine was compromised and provided advice on how to resolve it?”

      Sounds suspiciously similar to what the trojan itself does.

      Sadly it might work. The sheer number of people who click on fake infection pop-ups (Av Pro 2010 and the like) and download (and sometimes pay for) a malicious program to ‘fix’ it would go a long way to neutralizing the issue. Send them a direct link to an executable hosted on a random server that runs rkill, runs a stand alone scanner, combofix etc.

  4. paul martin

    How come this type of info never shows up anywhere else i look?
    Thank-you for this must have email subscription.

  5. Xristofer

    Any look up to the major search engines (google, bing, yahoo, etc.) should take the user to a “you’re infected, get thyself cleaned’ page. From there they can click through to where they were trying to go.

    March 8 things start failing painfully.

    The Internet is a privilege. not a right. Use it wisely.

    1. nonegiven

      Didn’t the UN declare internet access to be a human right?

      1. Neej

        I’m not 100% on this but I think it’s only a number of European countries that have taken this step of making internet access a human right.

        Placing the “right” to internet access on the same level as the right to not be raped or practice religion freely or any of the other rights accorded by the UN charter strikes me as problematic at best and absurd at worst. For example say it is added as a human right – does this then mean that criminals can claim human rights violations if punitive actions against them includes being disallowed use of the internet?

        1. Skaperen

          We should also have a right to travel anywhere we want. Now what if people travel to places like Iraq or North Korea? What if people just drive off the side of the road? Do we have to keep protecting idiots so they can continue to breed more idiots?

    2. JCitizen

      Internet a privilege? Not hardly in the US – our tax dollars put out and started the internet, government easements paved the way for companies to invest in the internet; so by proxy we own the internet. We definitely own the air spectrum, so that is public property too; we just rent it out.

      Anytime you own something in this country you have inalienable rights involved in it’s use. I’m not saying we can abuse it, but we have a right to use it to the full extent, as long as we don’t step on anyone else’s toes.

  6. Gregory Pendergast

    The problem with these ideas of redirecting users to a “clean thyself” page is that it’s similar to a FakeAV tactic. The user will either follow through to get their systems cleaned in some way (do we want to teach them to do that?), or they will ignore the page and think that it’s malware bait (usually the safer option).

    1. qka

      “Experience is a dear teacher, but fools will have no other.”

      — Benjamin Franklin, writing as Poor Richard.

    2. Xristofer

      I think that there is a demonstrable difference between “click here to install fakeAV” and “you are infected with something as documented on these established websites, have your IT department clean it.”

      1. Gregory Pendergast

        I agree that there is a demonstrable difference between the two types of notification. I guess I’m just skeptical about whether people are going to recognize that difference. Rather than have them wonder whether something is broken, I’d lean toward just turning off the replacement DNS service to make it clear that something is broken.

      2. LonerVamp

        I don’t think so. This is like telling users not to click strange links in emails or open attachments they’re not expecting…as explained in this pdf flyer I’m sending that you need to open to read about not opening things like this.

        Ultimately, you can assume that attackers will be able to perfectly ape legitimate notices. At which point that approach falls over. We don’t even need to wait that long, as many, many people are fooled by even rudimentary attempts.

        Another view: Why give people mixed signals or even give them the opportunity to make a wrong decision?

    3. Skaperen

      The redirect page should just say “visit FBI.GOV and click on DNSChanger for more information”. Make them type the link in.

      Maybe add a link at the bottom labeled FBI.GOV that goes to a page that says “You idiot! You were supposed to type in FBI.GOV to be sure you actually go to the FBI.GOV website. Now see what you did, you ended up at FAKEFBI.COM just because you clicked on a link that was faked to look like it would go to the FBI. Now go back to where you were and do it over right this time.”

  7. MarkN

    So why isn’t the anti-virus products used at these fortune 500 companies identifying the infected computers and cleaning it up? I realize that AV only catches between 25 and 30% of viruses, but this one has been around for a while now. I also voted to not let the deadline expire. In addition to pressure on individuals, maybe there will be some pressure on the AV companies from their unhappy corporate clients.

      1. Skaperen

        You’d think if Microsoft wanted their system to be secure, they’d at least make it so a registered AV program cannot be modified without the modification program being appropriately signed. Or aren’t the AV developers clever enough to block their own software from being updated or unregistered? Maybe AV software should be running on a virus framework.

        1. JCitizen

          HA! That would figure that a malware writer consortium would come up with an OS that was superior to any other!

  8. Wiz Feinberg

    Since the infected PCs are now using a proxy server to reach the Internet, Why not put up a landing page notifying them that they are victims of the DNSChanger malware, then instruct them to contact their ISP, or a local computer technician for assistance with removing the infection and updating their computer?

    The page should also inform them when and why the proxy service will be turned off and that their Internet access will be broken when that time arrives.

    There could be a link to click to continue browsing after reading the notice.

  9. dave wells

    Why not just reduce the number of servers thus making the internet experience for the procrastinators a very slow one. If they ignore that message, then cut them off.

  10. You missed a bit

    You can check most of your settings by simply visiting http://dns-ok.us/ on each computer you have. The “eye-chart” sites resolve differently if you’re using the servers setup via an infection.

    1. JCitizen

      Very cool! Haven’t seen one of those sites in quite a while; THANKS!

    2. Blair

      I’m not sure I trust this eye chart to do anything useful.

      The conficker eye chart attempted to download images from a number of different security sites. If your system couldn’t resolve the DNS, the images wouldn’t load, and you knew there was something wrong.

      The HTML source for this page has the green background hard-coded, and nothing but the page itself requires DNS lookups.

      Maybe there’s some server-side magic I’m missing, but this really doesn’t appear to be anything more than a static page telling all visitors their computers are OK without checking anything.

      1. TEA-Time

        @Blair,

        A friend and I were wondering the same thing, so we used NSLOOKUP to resolve dns-ok.us using a good DNS server, and then again with one of the controlled DNS servers. When dns-ok.us is resolved correctly, it gives 38.68.193.96, which has the green background. But when resolved using one of the now controlled DNSes, it gives 38.68.193.97, which gives the red background. Put those IP addresses into your browser’s address bar to see what I mean.

        So the website isn’t actually using any smarts. You just end up going to different servers.

        1. JCitizen

          @TEA-Time

          That’s pretty much it. I’ve seen this done before, although it was years ago, and not as pretty.

        2. Blair

          Ah. That’s the missing piece. It hadn’t occurred to me that the good guys controlling the DNS, the site might use the same sleight-of-hand.

  11. Mark

    I’m all for redirecting infected users and telling them to get their computers fixed now. In the past I’ve had my boss process documents that contained my personal data at home after work on a computer that was “acting up.” His not making the effort to get his machine fixed put me at risk. Coddling the mystery box crowd is like helping distracted drivers by putting rumble strips all over the place: It’s just a noisy pain in the ass before things go boom.

  12. YaVerOt

    So in two months the FBI hasn’t been able to write a letter to the government IT departments that are infected?
    Or the non-gov ones?

    We aren’t talking about millions of individuals to talk to and educate, but IT pros who should already know, but might not yet gotten around to fixing it, because “the FBI has this handled”.

    Sure let 30 days pass for routine maintenance fix this, and realize that email and redirects aren’t going to be trusted as coming over the same infected medium.

    But get a message out to those infected. Then shut it extra servers down on the 8th.

    1. Skaperen

      Maybe they don’t know how to identify the source IPs of all those queries hitting the surrogate DNS servers? Nah, I actually give them far more credit. It’s all the other government agencies that would be the issue. Write a letter to them all, and maybe a handful will check a few computers. I’m quite dissatisfied with with the idea of surrogate servers … except for using it as a means to track down where all the infections live and do “malware raids”. But it should at least be redirecting to an IP address that has a web page for all domains with “Your computer is infected – Business users: contact your IT department – Home users: visit FBI.GOV and click on the DNSChanger link”.

  13. Mark

    Now that I’ve had time to think a bit more, I’ve got to wonder: Would these people report a missing gun? I know this may sound a bit harsh but maybe we ought to start charging people who knowingly leave their computers infected with giving material aid and support to organized crime. It’s like letting a bunch of hobos run a crack house in your garage because kicking them out would be too much trouble and you only have to step over them once in a while. Things like identity theft mess up peoples lives. So why not start charging everyone involved in the crime?

  14. Scott D

    I have some empathy for home users. BUT corporate/government users are infected? Why can a system that is supposed to be managed and secured by some IT “pros” use a ‘foreign’ DNS server? Port 53 TCP/UDP should be blocked for all client desktops and only open for locally managed or ‘approved’ DNS servers!

    I can’t let Mark’s comment go regarding ‘…material aid and support to organized crime’.

    Mark: take that to the extreme and charge the OS vendor. THEY are truly the ones providing material aid and support. Why has a whole AV and security industry grown up around Microsoft Operating Systems? Why are progressive IT shops working very hard to remove all Adobe software from their user community’s desktops.

    1. Token IT Guy

      RE why corp users are impacted:
      When most IT departments try to get the PHB’s on their side to address an issue, they get told “We’re not an IT Security company, we’re a widget/doohickey/dealybobber company” and have their budget or approval denied.

      RE AV and security around MS/Adobe:
      They’re the biggest market. Whether I’m peddling a video game or a CC-stealing trojan, I’m going to go where the users are. Windows is the moneymaker.

    2. Mark

      I hate to play Devil’s advocate. But in this case, it’s kind of hard to blame M$. It’s like blaming Ford when your wheels fall off two months after you received notice of a safety recall.
      I don’t really care for Microsoft, Adobe, or Apple. As a Linux fanboy it kills me to say this. But if desktop Linux ever became mainstream, it would become a mainstream target too.

      1. Terry Ritter

        @Mark: “But in this case, it’s kind of hard to blame M$.”

        Much like using a garden hose on a burning building, Microsoft has been fighting an ineffective battle. As a result, bot technology has been growing and developing, virtually uncontrolled, for over a decade.

        Bot infection is no longer a mystery, and there are several ways to address it: First, since almost all malware expects to see and use Microsoft Windows, we can just use a different operating system and immediately avoid most bots. But would it really be impossible for Microsoft to field a Windows look-alike for web browsing which is not so easily perverted by malware?

        Next, the infection part of bot infections occurs when a bot changes data on the disk so the bot can restart on following sessions. We can prevent that by using a DVD-load OS, such as Puppy Linux. But would it really be impossible for Microsoft to provide their own DVD-load OS to stop malware?

        Long-time users want things to work they always have, and also prevent malware, which is a contradiction. Our PC’s need an updated design. Hardware, not software, should stop bots from changing boot data. But Microsoft helps specify the PC, and serious changes would require serious Windows re-design.

        1. Mark

          I don’t know about the rest, but as I recall, M$ is working on a new bios system that is supposed to perform some sort of authentication on the boot sector. I just hope it doesn’t affect my ability to run Linux on newer hardware. Speaking of which, why not make a bootable thumb drive? You can choose if you want data saved or dumped on shutdown when you make it. I keep a tiny one in my wallet. I haven’t tried it yet, but have you heard of LPS? It’s a distro made by the US Air Force just for thumb drives.

          1. Skaperen

            You mean UEFI? It requires the bootloader to be signed if the feature is enabled in the UEFI firmware (BIOS as most people think of it). And to get a bootloader signed, it cannot be built/compiled by the end user. This feature will have issues with Linux and BSD users, even if there is no conspiracy to block out Linux (if there is, it will be much, much worse). Many companies are being talked into making it impossible to disable the bootloader signature check … by Microsoft.

            So should we just focus on making the OS secure so there’s never a risk the bootloader or kernel is infected in the first place? Trouble is, that would be way too costly for one of the wealthiest companies in the world to fix since Windows makes Swiss cheese look like the Hope Diamond … despite a community of volunteers do a much better job of hardening Linux and BSD.

            This is why Microsoft is focusing on just making the reboot process secure so malware can be killed off by rebooting (something that Windows has to do a lot). And, not unexpectedly, they don’t really care about making something that leaves end users with OS choice.

            1. Mark

              A little birdy is telling me that it’ll just brick a lot of machines. And make installing your own OS as messy as rooting a smartphone. Between Linux Die Hards and cyber crooks this can’t end well.

          2. Terry Ritter

            @Mark: “as I recall, M$ is working on a new bios system that is supposed to perform some sort of authentication on the boot sector.”

            The Microsoft “solution” is for a future generation. Where is Microsoft now, when we need them?

            Our main problem is bot infection, and infection is the consequence of a malware-writable boot drive. Addressing that vulnerability does not require finesse: we can remove the hard drive and boot from a DVD.

            A DVD boot demonstrably does provide bot protection in a simple and effective way, and right now. That Microsoft needs a vastly complex future system seems like a convenient excuse to justify new and restrictive user controls.

            “why not make a bootable thumb drive?”

            Thumb drives do not solve the main problem, which is writable boot storage. Most thumb drives are writable, and bot infection occurs when malware changes boot data on the boot drive, even a thumb drive.

            Some USB flash drives do have a write-protect switch, but when we flip that to update the system, we might as well have a hard drive. The physical characteristics of a DVD just make a more secure system.

            “have you heard of LPS?”

            Yes, I mentioned LPS as a brief example in my comments to the government on bots:

            http://www.nist.gov/itl/upload/Ritter_ADVISING-THE-GOVERNMENT-ON-BOTS.pdf

            All of these solutions have problems, at least in the sense of not being like what we have. I like the Puppy Linux DVD approach, because it loads completely into RAM for fast operation and allows the DVD to be removed before browsing.

            More importantly, Puppy Linux allows the boot DVD to be updated. Updating is necessary because every security patch inherently reveals the security flaw being fixed. An inability to patch quickly means being vulnerable to new widespread attack.

            Home users who just want to get online securely can adapt to a DVD boot fairly easily. I did. My nontechnical wife did. Eventually I removed the hard drives, and though we can easily plug them in, we rarely do.

            Other users may need applications which Linux does not handle well, so for them a free DVD is not an option. But their real issue is that Microsoft does not provide a competitive security alternative.

        2. JCitizen

          @Terry Ritter;

          MS did have ‘steady state’ back on XP, which didn’t let anything write to the hard drive without user control. But I’m pretty sure the average user wouldn’t like it.

          Emisoft’s Anti-malware can detect startup attempts by malware and actually stop it, but it seems like MS could do the same thing by simply modifying the way its UAC operates.

          I wouldn’t be surprised if MS gets slapped with some kind of anti-trust law suit, by the anti-malware industry, when users discover that they can supposedly push a “button” to totally restore their operating system in Windows 8. It doesn’t hurt that Win 8 doesn’t need a bios, but someone else is addressing that in this thread.

          1. Token IT Guy

            “I wouldn’t be surprised if MS gets slapped with some kind of anti-trust law suit, by the anti-malware industry”

            They’ll get slapped with an antitrust suit in the EU for sure. How dare they take food from the mouths of those AV companies by making their software secure?

        3. Token IT Guy

          @Everyone complaining about Microsoft not being effective enough:

          Microsoft has approximately 92000 employees.

          How many a**holes are out there trying to make money/cause trouble/prove themselves by hacking them? Waaaaay more than that.

          Also, some of you evidently need your keyboard mappings fixed, because shift-S shouldn’t create a dollar sign. Related: http://www.penny-arcade.com/comic/2002/07/22

          1. Mark

            Yes Microsoft is out gunned, and a huge target to boot. We knew that.

            BTW in my fan-fic M$ is run by the Ferengi.

            1. Terry Ritter

              @Mark: “Yes Microsoft is out gunned,”

              Being outgunned is beside the point: Malware cannot infect a hard drive which is not there, and malware is unlikely to infect a DVD, no matter how many guns aim that way.

              Microsoft has *chosen* to double-down on a hard drive OS which almost cannot be secured, instead of providing a DVD-load OS which almost cannot be infected. It is thus hard to see user security as a real Microsoft goal.

              1. Mark

                I still remember when PCs needed a floppy with DOS on in to boot. Your solution may work for you but I doubt that you could talk a lot of other people into it. Also assuming M$ does come up with a DVD version of windows, what’s to keep a user from constantly reinfecting his computer with a frequently used file?

              2. AlphaCentauri

                I have visions of spam campaigns leading people to fake linux distros to get them to burn their own infected DVD, just like they go to phishing sites now.

                People will put pretty much anything in their computers that arrives by mail, too; that’s the AOL business model.

      2. EC

        That is one of the reasons why I like the “slightly under the radar” nature of Linux.

  15. George

    ” … at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies … ”

    Where do I find the names of these government agencies and Fortune 500 companies ? I went to the IID website but could not find the list there (maybe I just did not look hard enough).

    1. RJ

      I agree. Name and shame. Maybe some bad publicity will motivate people to look after their, and more importantly, OUR data.

  16. Frank

    Just in case you’re wondering about the competence of the federal agencies, the U.S. DOJ recently sent out letters to RIR block owners about IP addresses in their space that were likely infected. According to many of the recipients of those letters on NANOG (http://markmail.org/message/vflinfbyu5k4bbmc), the IP addresses were their recursive DNS servers. =(

  17. g

    The Low Point — a View from the Valley — Column 11
    The Land of “Nothing for free”

    On the map, Laguna Niguel looks like a beautiful Pacific coastal area south of Los Angeles, a little like one of my favorite spots Monterey, south of San Francisco. But I forgot; this is Los Angeles, where the brown haze of the air lies like a thick blanket over the insane sprawl of “Generica”. It’s an endless landscape of McDonalds, strip-malls and gas stations familiar to anyone who has seen the movie “Ghost World”. Nothing is free here. You pay for parking (nothing but valet available), driving on toll roads, access to much of the beach (private). If they could figure out how to charge for the air I’m sure there’d be meters every block or so. It’s a fitting home for the entertainment industry.

    I was down there to give a talk on “Open Source Business Models” for a conference. Also represented were entertainment industry lawyers, “Big Telecom” management, and a smattering of software people. Microsoft was there of course. You can’t hold a church fete with “Open Source” on the banner these days without Microsoft turning up and requesting representation. At least we also had Bruce Perens on our side to help make up the balance. The venue was an unbelievably expensive hotel. Even though I was on expenses I balked at asking the company to pay for a room there and found something cheaper (not by much) a few miles down the road.

    Along with the collection of apologists for the “ultimate evils” ™ of Hollywood and Telephone companies there were some very interesting presentations. A Japanese telecoms researcher made all the software people jealous by describing the idyllic state of broadband in Japan, where providers vie to sell gigabit fiber-optic pipes to the home. Yes, you read that right, Gigabit. The obvious question was asked; “what do people use all that bandwidth for” and the less than obvious answer was that they use it for all the same things people in less bandwidth-friendly countries do, they just do more of it. I could see a collective shudder pass through the entertainment industry people. They knew what that meant.

    A keynote by Lawrence Lessig made the point even further. He showed a series of “mash-ups” of copyrighted material which were incredibly creative and funny. All completely illegal and currently being hunted off the Internet by entertainment industry lawyers. One of the most amusing asides was from a Walt Disney legal reply to a parent requesting “fair use” rights to use some clips from a Disney movie to put in his home video. He pleadingly promised them it was meant only for family viewing. “We currently deny all requests to use our material….”. Even if you are impudent enough to ask, the answer is always no. At least one of the other studios replied that the current commercial rate was $700 to use a 30 second clip. I can see that being popular amongst parents making home movies. He also covered the current patent quagmire. A very interesting fact from his talk was that the total unit cost for a Chinese manufacturer to build a DVD player was around $26. However the total royalty fees they have to pay to western companies for the patent rights to build a player is $21 per unit, thus completely eliminating any profit they might make. No wonder the Chinese are currently creating their own digital video standard, completely incompatible with Western ones. It’s the only thing that makes economic sense for them. This is almost certainly behind the Chinese refusal to use the new WiFi standards for wireless devices also.

    I ended up making myself unpopular by publicly attacking the Washington-based economist who’d advised the Clinton Administration on “Intellectual Property” issues. It’s a very personal issue for me as it affects my everyday life and work, so when he made the statement that “strengthening the patent system leads to more innovation for everyone” I saw red. He doesn’t write software of course. I tried to explain later in private that it would be like people being able to patent economic theories in his line of work. That began to hit home, but he explained that the problem in Washington is that patents are heavily pushed to the politicians by the Pharmaceutical Industry. “These guys say they’re going to cure cancer, what are you going to do for us ?” is the request that anti-software patent lobbyists have to learn to counter.

    My panel was rather uncontroversial, Microsoft, Bruce Perens and myself being on our best behavior. The only sparks that flew where when Microsoft made it abundantly clear that they would use their patent portfolio to prevent the spread of GPL software. Section seven of the GPL (the implicit patent grant of the license) now looks like the most prescient writing Richard Stallman has ever done. If you’re not familiar with it I’d suggest you read it and understand why using the GPL to protect your Free Software is so important.

    Fireworks only exploded in the session on business models in the Internet age for entertainment industry products (music CD’s mainly). This was even before the horrendous vandalism perpetrated by Sony on Windows users by propagating a rootkit as part of a digital rights management product on Sony CD’s. Let’s be clear, these people hate the Internet. If they had a single-use time machine they’d rather use it to go back in time and kill everyone responsible for creating TCP/IP than prevent the Second World War. The movie industry sees what has happened with CD’s, looks at the gigabit bandwidth available in Japan and they know they’re next. They will do anything to prevent it, pass any law, remove any civil right or fair use provision that gets in their way. I began to understood this when I had a discussion with a lawyer who was arguing that “we just need stiffer penalties, we need to make an example of people swapping files on the Internet”. To which I responded, “why don’t we just execute people who break the speed limit ?”. Does anyone remember the slogan that used to be printed on vinyl records, “Home taping is illegal and is killing music” ?

    When enough people decide that an activity is legal, in a democracy such a thing eventually becomes legal. Look at the way the drug laws have changed in Europe. It’s a sign of how damaged American democracy has become that the same thing hasn’t happened here. The Internet is a massive threat to some people, and if we don’t fight to keep it, we deserve to lose it. I’ll end with a “fair use” quote from one of my favorite 70’s bands, Hawkwind which seems appropriate somehow, and append one line of my own :

    Welcome to the oceans in a labeled can,
    Welcome to the dehydrated lands,
    Welcome to the self police parade,
    Welcome to the neo-golden age,
    Welcome to the days you’ve made

    Welcome to the land of “Nothing for free”.

    Jeremy Allison,
    Samba Team.
    San Jose, California.
    20th November 2005.

    1. Evil_Steven

      Gee great. More spam.

      The security industry eats its young. Every man for himself. This is old news.

      M$, Apple, etc… they are all out to make cash-ola. Yes, even Steve Jobs the ex-hippie was a capitalist in the bad sense. Deal with it.

      (btw, Samba sucks. It helps Microsoft propagate. No thanks!)

  18. in your face

    “No, you’re wrong. Microsoft’s “evil”, insofar as I’m concerned, has to do with the companies and technologies that never had a chance because someone at Microsoft decided to steal it, buy it or just destroy it. That someone was often William H. Gates.

    The Personal Computer Revolution was largely stolen from us, because we all got forced to go the Redmond way. There’s no point in going over Microsoft’s other evils, such as the fact that it is a Grade-A government-certified illegally acquired-and-maintained monopoly. Now, monopolies aren’t necessarily evil or illegal … but Microsoft’s is, on both counts. And don’t try to excuse them as just being, you know, basically decent people who make honest mistakes.

    Microsoft is a criminal organization that has maintained a consistent pattern of unlawful activity throughout its entire corporate existence. And so far as Apple and Google are concerned, it sounds like you’re excusing Microsoft’s bad behavior because well, you know, Apple and Google might be as bad, but we don’t know yet so let’s give Microsoft a pass for now. Look nobody knows whether we are alone in the Universe … but the question of whether that company is good or evil has been answered.

    They were taken to court over the issue of their monopoly status and lost. So yeah, Microsoft is evil, and the pattern of general nastiness persists to this very day.

    Why do you think the European Union is giving them such a hard time? Have you been following the OOXML fiasco, with Microsoft attempting to buy their way into a standard?

    No, I suggest you keep Googling Microsoft: it’s obvious you’ve not been around long enough to have experienced their evil firsthand. I’ve been in the software business since before Microsoft was a gleam in Bill Gates’ eye, and I’ve seen the damage he and his brainchild have caused.

    Bill can give all his money to charity if he wants, but there’s no Undo button for what he’s done.”

    1. AlphaCentauri

      It’s very true. And Google is now going the same way, buying services they can’t out-compete like YouTube and having user information flow between them now that there is no significant competitor to serve privacy-minded people. And it’s true you get what you pay for. But I also remember that when you had to pay for Netscape or AOL, not that many people were using the World Wide Web. What the internet has become is due in large part to reducing/removing the price of admission for new users.

      1. Evil_Steven

        Google, Facebook, Twitter, and the people who give up their privacy everyday are all part of the problem.

        Now we only need to change the people and the companies will be forced to follow.

        Since people do not care about privacy they really don’t deserve it.

        Without something resembling privacy there will be no security. Without knowledge on top of that there is no hope.

        People need to understand the problems so they can be fixed. Teach people maybe?

        That would be a start.

  19. Skaperen

    Surrogate servers should never have been used to just make things look like they are working OK. They should have redirected ALL queries to an information site from day one. Users of infected computers should be informed without any delay that their computers are infected.

  20. Drew

    1st: These DNS servers should not have been put into place originally anyway…How else are users to know that something is wrong? Thanks for nothing…

    2nd: Why is outbound p53 not being BLOCKED by these companies anyway? They *should* be big enough that they would be running their own internal DNS servers, and the individual clients have NO reason to be using ANY sort of outside the LAN DNS servers anyway…so, this *should* be a non-issue, but apparently the people that run these networks that have infected hosts either A. don’t care, or worse, B. don’t know, and I don’t know which is worse…

    1. JCitizen

      Likely some DOJ lawyer told the FBI, they’d be sued if they didn’t provide the service after co-opting the criminal enterprise. Likely that is exactly what would happen too; knowing our litigious nature in this country.

    2. Frank

      ISPs should (and do) provide their own DNS servers and their DHCP servers will hand out those addresses, but good ISPs stop short of requiring their subscribers to use their ISPs.

      Most subscribers don’t want their ISPs blocking port 53 nor redirecting their outside queries to their ISP’s DNS servers.

    1. Mark

      I’m gonna go out on a limb and assume the malware would just override any settings you put in. OpenDNS helps if you don’t trust your ISP’s DNS server, but that’s about it. Maybe if OpenDNS was powered by Chuck Norris.

      1. JCitizen

        In my honeypot lab, I’ve never found a malware sample that can override Comodo’s free firewall DNS. That still doesn’t mean it can’t happen, but at least it is better than nothing, like the state of many users machines.

      2. Evil_Steven

        Try a firewall that port redirects all DNS traffic from the internal lan to the DNS server(s) of choice.

        This could be a local DNS server on a separate internal subnet; known DNS servers on the internet, or just to force the use of the ISP DNS but nothing else. The choice is yours. The uses are endless. Adblocking, blacklists to prevent malware and spam. Whatever you are willing to implement. Even as a home user!!!

        This is not up to the ISP. They provide their DNS and allow you to choose whatever you like. (as they should)

        That is the way it is supposed to be. The rest is up to the customer to decide.

        Freedom is good. Use it!

  21. Rob

    Here’s the list of malicious IPs from the DNS Changer Working Group website. Or maybe it’s a Zeus attack page, be sure to figure it out before you click it.

    http://dcwg.org/checkup2.html

    >>Name and shame. Maybe some bad publicity will
    >>motivate people to look after their, and more importantly,
    >>OUR data.

    Get for real, my virus lab will show up on the list but you all will just see my employer’s name and assume the worst. And recall the last list of ‘victims’ that was published, where a large fraction were really just ISPs and providers?

  22. MadVirgo

    And to add injury to injury, thanks to an exploit discovered in the DNS cache update, even if one were to remove the malicious domains from upper level servers, and any delegation data, certain sites–if still accessible by IP–could still be reached. Here’s the ISC statement here:
    https://www.isc.org/software/bind/advisories/cve-2012-1033

  23. Summer Seale

    I say: disconnect them ASAP.

    I’m sick and tired of people using computers and not taking the basic time they need to educate themselves on what is good and bad online. Frankly, even after working for years in IT, I’m still shocked at how incredibly stupid a lot of people can be. People, I might add, who use computers every day.

    Most people still don’t understand that they shouldn’t open attachments sent by random people, or unexpectedly sent by friends, or executables, etc… Well, that’s been common knowledge for ten years now. If they haven’t learned it by now, then tough frigging luck. Most people’s computers at home are an utter disaster, unless they’re using a Mac or Linux box, or they are knowledgable on the subject and studiously update their Windows machines, and quite frankly: it’s their fault. At this point, it astounds me the number of stupid things which people still do when they bloody well know that they shouldn’t.

    Case and point: why are email scammers still around? People are still falling for that every single day? It blows my mind that so many people still fall for clicking on those links, or replying with a Nigerian scammer and eventually sending them their bank account number. They still haven’t heard about online scams? What frigging planet are they living on? They haven’t watched the news for a single day in the last ten years?

    I’m sorry, I have absolutely no pity left in me. If their computers blow up on the 8th and can no longer access their stupid little Farmville games, so be it. I’ll laugh and tell them to go and finally get educated. It only takes a few minutes and provides a lifetime of good advice.

    1. AlphaCentauri

      Unfortunately, if you have to interact with government agencies, you don’t have any choice about opening attachments. Your email address gets passed around to functionaries in various interacting departments, and if you don’t respond, you may lose thousands of dollars of government business that you’re bidding on. Government employees send even the simplest text messages as Word attachments, and they expect everyone to open them without question. You have to investigate the provenance of every email, and I’m sure most people would have no way of checking which of these emails are legitimate and which are spearphishing.

      1. cherry

        Yes you do. I work in government and my boss gets a ton of dodgy emails every day I KNOW to be bogus. I delete them.

        Employees who get themselves infected have themselves to blame.

        Organisations who fail to mandate updates are asking to be attacked.

        The internet is a privilege, not a right. CUT THE COMPUTERS OFF.

        1. AlphaCentauri

          ..that *YOU* know to be bogus. If you’re reading this blog, you’re already way more capable of distinguishing phish from legitimate emails.

          I doubt you’re claiming that you delete all emails with attachments before your boss sees them, just the ones you determine to be dodgy. Most people feel they are doing the exact same thing. They’re just not as good at it as you are.

  24. BK

    The article states “[The Trojan is suspected] to control more than four million computers in over 100 countries — including an estimated 500,000 in the United States.”

    Since this is the FBI running the servers, I’ll reference the US number only. 500,000 computers is very small number of infected computers. The computers outside of the US can be taken care of by an agency of the country where they reside.

    Then the article says-“the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.”

    So is it just the Fortune 500 and government that is infected?

    Again 500,000 computers is a very small number.

    Bottom line. Shut the servers down.

  25. MXAddison

    Security company Avira offers a free DNS Repair Tool. You can read more about it and get the download here: Reahttp://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

    1. JCitizen

      Or they could install Comodo Firewall (free) and not only get the DNS reset that way, but get it protected from being changed again.

      Some of my clients did this, after wiping and re-installing, and were reinfected with the malware, and I never heard of such a commotion according to them; it really hosed the installation. My clients said they were glad, as they would rather that happen than give into the criminals. If they were telling me what actually happened, I think they had more than one malware agent onboard their network/PCs.

  26. Agentur

    Extending the March 8th deadline will do absolutely nothing in having this issue resolved and get this DNSchanger Trojan cleaned up.

    The only way to get infected to disinfect their systems is to cut them off.

  27. Michael Knight

    I guess I’m just confused. We’re talking about Windows networks here right?, I mean supposedly large ones Govt., Fortune 500 etc. Which I can only assume would not be operating as a ‘Workgroup’. So I have to also assume they are on a Domain. A Windows workstation won’t even log into the domain properly (or at all) if the DNS is torqued, wouldn’t the IT staff recognize this by users complaining of long log in time or no access to network resources?. So by that token I have to assume that the computers infected on these domains aren’t actually domain members (i.e. laptops, telecommuters etc. that aren’t always physically there). BUT that number would only account for a fraction of the 500000 computer total.
    ELSE
    The trojan is infecting the Domain controllers themselves (the DNS Forwarders) and this dirty DNS data is getting propagated to every workstation on the network. In that case wouldn’t the number be significantly higher? But that doesn’t jibe either because the method of infection would need to be vastly different than infecting a home user or stand alone workstation, in that it’s not merely a registry change but you’d be changing the Active Directory metabase to certain extent.

    I dunno…either way the numbers seem off to me, as does the premise. I understand DNS and the concept of the attack but the ‘explanation’ does not take into account certain constants. Logically what we’re *actually* dealing with here percentage-wise is a very small number of Govt./Fortune 500 Company’s computers, possibly a larger percent Small Business and relatively large number of Home/Small Business users.

    To that end, since when does the FBI step in to save 400,000 home computers?…yeah they’ll bust the guys who did it, but Blaster, Conficker, Nimda and the like took out way more computers. I don’t like the precedent set by this at all. This should be left to the ISP’s who have no problem letting their customers know that they’ve downloaded a copywritten movie or song. They have the right to cut you off at any time, it’s in the contract. I don’t recall giving the FBI permission to cut off anyone. If they were intending to do so, they should have done it day 1 and let the 500000 chips fall as oppsed to 400000. they don’t leave crackhouses open for a few weeks after the bust to keep the crackheads from dying. No difference really.

    This news is old hat, entire organizations have sprung up around it i’m sure the Govt. has let their IT staff know and the fortune 500’s will have been alerted by now. So who’s really getting their Internet cut off on the 8th? Ordinary citizens. Your mom and dad, grandparents who accidently installed this rubbish. Should they be booted from the net…probably, but what happens the next time a terrible trojan is let loose (and by whom). “Oh that’s an easy fix, just shut down the network.”

    My ITPro side says, yeah screw em, kick em off we’ll clean up the mess. My freedom tells me not to let an entity like the FBI have it’s hands on any DNS server criminal or otherwise. So yeah switch it off like you should have done in the first place, wash your hands, good job busting those goons. Now let the citizens clean up.

    1. MadVirgo

      You’re right about the vast numbers of Windows machines being infected are probably SOHO types of servers, but I wonder how many IT orgs knew of this in the first place, or at least took it seriously? I know a few here at my government installation were not aware of it when I sent the link(I believe the security team is now working with each IT group to check and clean). As for FBI or other law enforcement entity having a hand on a DNS server–if they were to stand around and do nothing, and still have knowledge, folks would be up in arms on why n0 action was taken. Anyway, I say let the deadline come, and let the PC’s be blocked–though I wonder how many ISP’s have found it ‘cost beneficial’ to direct their staff to find and ‘clean’ these errant PCs? Probably few, and they’re going to wait until their user screams, then react.

      1. Michael Knight

        I suppose I was overestimating communication within the goverment.
        You’re right, I didn’t take it seriously…and still don’t. I know my windows networks need to use the PDC as their DNS server and if something changed from that it’d be an instant scan/clean. I mean this isn’t the first trojan that has changed DNS or proxy servers. Despite it’s spread, it’s still just a lowly bit of malware. Haven’t experienced it first hand, but it doesn’t apear to have any rootkit capabilities, in fact it looks like it mods 1 registry key. dunno if it’s TSR but in the scheme of things, it’s really not that complex. The offending DNS servers should have been killed immediately, those 400,000 or so private citizens would have called thier local computer guys who would have a bit more money for Christmas. The posers with high paying admin jobs would be fired. Problem solved.

  28. a

    “No, you’re wrong. Microsoft’s “evil”, insofar as I’m concerned, has to do with the companies and technologies that never had a chance because someone at Microsoft decided to steal it, buy it or just destroy it. That someone was often William H. Gates.

    The Personal Computer Revolution was largely stolen from us, because we all got forced to go the Redmond way. There’s no point in going over Microsoft’s other evils, such as the fact that it is a Grade-A government-certified illegally acquired-and-maintained monopoly. Now, monopolies aren’t necessarily evil or illegal … but Microsoft’s is, on both counts. And don’t try to excuse them as just being, you know, basically decent people who make honest mistakes.

    Microsoft is a criminal organization that has maintained a consistent pattern of unlawful activity throughout its entire corporate existence. And so far as Apple and Google are concerned, it sounds like you’re excusing Microsoft’s bad behavior because well, you know, Apple and Google might be as bad, but we don’t know yet so let’s give Microsoft a pass for now. Look nobody knows whether we are alone in the Universe … but the question of whether that company is good or evil has been answered.

    They were taken to court over the issue of their monopoly status and lost. So yeah, Microsoft is evil, and the pattern of general nastiness persists to this very day.

    Why do you think the European Union is giving them such a hard time? Have you been following the OOXML fiasco, with Microsoft attempting to buy their way into a standard?

    No, I suggest you keep Googling Microsoft: it’s obvious you’ve not been around long enough to have experienced their evil firsthand. I’ve been in the software business since before Microsoft was a gleam in Bill Gates’ eye, and I’ve seen the damage he and his brainchild have caused.

    Bill can give all his money to charity if he wants, but there’s no Undo button for what he’s done.”

Comments are closed.