The FBI warns that nearly a half million internet users will lose their access on July 9 if they don’t take steps to remove a virus on their computers first. Capable of infecting both Macs and Windows PCs, the virus in question is a trojan horse called DNS Changer. A variant, often referred to as zlob, even includes the ability to guess a wireless router’s default administration password and change its stored DNS settings. It’s easy enough to check your computer for this infection, using one of the free web-based detection websites put together by an industry-wide team.
Undated photo of Vladimir Tsastin, kingpin of the Estonian malware scheme
Why the July 9 deadline? That’s where the story gets interesting. The DNS Changer trojan surfaced back in 2007, so it’s nothing new. But the problem is that the trojan horse successfully infected millions of users over the next few years, modifying their computers’ DNS lookup functionality. Address lookups were routed through a group of rogue DNS servers run by Estonian hackers. This allowed the hackers to return modified results that included advertising earning them millions of dollars in revenue. All of this got the FBI’s attention and led to the arrest of the hackers last November.
However, the FBI feared their seizure of the rogue DNS servers would lead to all of the infected computers losing internet access. Therefore, they did something unprecedented, substituting the hackers’ servers with clean DNS servers of their own. The FBI hoped this would buy them time to warn people about the infection so computers could be disinfected before the replacement servers came down in March.
Unfortunately for the FBI, a federal judge ordered that the servers stay up for another 120 days, to give businesses and government agencies additional time to respond to the threat. That brings us to the cutoff date of July 9.
The FBI claims they’ve already spent $87,000 maintaining the temporary DNS server replacements and currently see over 350,000 users actively using them (down from over 500,000 a couple months ago).
In my opinion, this was $87,000 too much spent on a bandage of dubious value. Computers infected with a DNS Changer trojan likely suffer from other issues, such as sluggish performance, along with the DNS redirection itself. Even the redirection could generate odd error messages or malfunctions when using VPN software or other more advanced programs that need to manipulate TCP/IP settings. It doesn’t really do computer users any favors to mask the infection. A compromised system should be taken out of service and cleaned or re-imaged as soon as possible.
The FBI says that moving forward, they’ll implement more of these measures to minimize the impact their enforcement operations have on internet users. It might be smarter for the FBI to focus on law enforcement and not to play systems administrator at the taxpayer’s expense.
I’ll see. I mostly used Linux OSes but I do have a Windows Partition running. I got this computer in the summer of 2010 and I’ve reinstalled Windows 7 on here about four times now, only once due to a specific performance issue. (Lost my wireless card when Windows 7 service pack 1 first installed.)
I do have one question though: while I can see your point about the dubious value of the substitute server, are you saying it would have been better for the FBI to have allowed the computers to go offline when they seized the rogue server? And would have made it more likely for the users to get their computer’s fixed? Could this have opened up any liabilities for the agency had they done so?
And while $87,000 seems like a lot, how far off is that from the agency’s usual operating costs? The total FBI budget for 2001 was $8.3 billion, with $8.1 billion accounting for operating expenses, and $181.2 million for construction. http://www.fbi.gov/news/testimony/the-fbi-budget-for-fiscal-year-2011
In regards the ‘liability’ part of the issue, I following the krebsonsecurity.com link and it mentioned that according to figures from early March, large number of government agencies, and Fortune 500 companies were still struggling to erase the DNS redirector infection. This may well have been a case where the practical problems and costs associated with completely removing the DNS server would have far outweighed any cost to the taxpayers for maintaining a substitute server.
This should be point proven to the downsizing of IT departments. A rogue redirector running rampant on a fortune 500 network is shameful. It also shows the sheer carelessness of the network’s users. I’ve worked at many fortune 500’s, mostly in the top 20% and a cicrumstance like this would have been very short lived if any… less than 2 days if we were slacking.
Thanks for that perspective Madtony. I haven’t worked in such situations myself so admittedly I didn’t have the perspective on just how bad (and risible) such a thing would be. Though it’s certainly worrying that this is the case knowing that Fortune 500s should have more stringent security and maintenance standards in place.