Risk
4/24/2012
01:38 PM
50%
50%

DNS Changer: FBI Updates Net Access Shutoff Plans

The FBI called: Your malware-infected PC or router needs to get clean, or lose Internet access.

In a little more than two months, the FBI plans to pull the plug on DNS servers that are currently providing PCs infected with the DNS Changer malware with the ability to translate domain names into IP addresses.

Accordingly, the FBI has launched a public appeal, urging consumers and businesses to scan their machines--including some routers--for signs of infection.

How prevalent is DNS Changer? Rod Rasmussen, a member of the DNS Changer Working Group, said that in early February 2012, the malware was infecting machines used by half of all Fortune 500 companies as well as 27 out of 55 government agencies. But by the end of that month, he said that infection rates appeared to have dropped to 94 companies and just three agencies.

[ Proactivity is key in defending against cyber threats. Read more at Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

In November 2011, the bureau, working with Estonian authorities, helped bust the Estonian gang behind the DNS Changer botnet. Authorities accused the gang of conducting a four-year campaign that generated at least $14 million, largely through click fraud.

The criminals allegedly used the malware to reroute infected machines to their own rogue DNS servers. That meant that even after the FBI helped bust the suspected botnet operators, anyone whose machine was infected with the malware would still be relying on the rogue DNS servers to be able to surf the Internet.

Accordingly, the bureau said that it would continue to support the DNS servers for another four months, although it disabled the command-and-control infrastructure underlying the botnet and said it wasn't monitoring any of the traffic traveling over the DNS servers. In addition, the FBI said that it had "provided information to ISPs that can be used to redirect their users from the rogue DNS servers to the ISPs' own legitimate servers."

With that deadline fast approaching, however, and many machines apparently still infected with DNS Changer, on March 12 the FBI secured a court order "authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers," according to a statement released by the FBI.

Because this solution costs money, it's temporary and is intended only to buy "additional time for victims to clean affected computers and restore their normal DNS settings," according to the FBI. "The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time."

In other words, anyone whose machine is infected with the malware has about two months left to eradicate it or lose Internet access. At that point, to eliminate the malware and restore their correct DNS settings, users will need to download antivirus software--using another PC--and install it on their PC; for example, by using a USB key.

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformqtionWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
4/24/2012 | 7:33:34 PM
re: DNS Changer: FBI Updates Net Access Shutoff Plans
Seems like for the last week or so they could redirect all traffic to a page describing the problem and include non-blocked links to AV vendors' sites.

Or they could just wait and let the great unwashed masses fail with no warning. Do they really thing waiting another couple of months will give Aunt Bertha a better chance to get her PC's DNS servers re-pointed? Gubmint folks are so clueless....
pccareman
50%
50%
pccareman,
User Rank: Apprentice
4/24/2012 | 10:59:58 PM
re: DNS Changer: FBI Updates Net Access Shutoff Plans
as i broadcast computer help on blogtv .
i will pass the word about this d n s changer .
i have found at a lot of computer user,s dont even have a anti virus program.
but i keep telling them yu need it.
i use linux mac windows ect from 95.
i hope the isp s waken up soon.
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/25/2012 | 2:05:42 AM
re: DNS Changer: FBI Updates Net Access Shutoff Plans
Here is the link to the DNS Changer Working Group: http://www.dcwg.org/
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.