Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2012
04:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Orphaned Bots Facing Internet Blackout

DNSChanger botnet takedown poses unique challenges and risks that other botnet overthrows do not

Botnet takedowns typically leave many orphaned bots in their wake: rarely do they leave still-infected machines cut off from the Internet, but that's what is in store for hundreds of thousands of machines that have yet to be cleaned up from the now-defunct DNSChanger botnet.

March 8 for now is the planned deadline for when the FBI will pull the last plug and shut down the temporary DNS servers it set up to prevent a major Internet blackout for what was at the time some 4 million infected machines around the globe. There are some 450,000 bots out there still infected with the now-defunct botnet's malware as of the last official count -- which, according to data from IID, include half of the Fortune 500 and major U.S. federal government agencies.

Knocking enterprise, government, and consumer machines offline was an unprecedented consequence of taking down the DNSChanger botnet, which literally changed the victim computers and routers' DNS resolution settings and redirected them to malicious websites. The FBI, which headed up the "Operation Ghost Click" case against the botnet and its operators, tried to cushion the effect by swapping out the malicious DNS servers with temporary legitimate ones. The plan was to give ISPs 120 days to alert their customers about infected machines and to help with the cleanup effort. The Internet Systems Consortium (ISC) has been running the "clean" DNS servers in the meantime.

But with the March 8 deadline looming for those servers to be disabled and nearly half a million machines still infected, security experts worry about the inevitable blackout for those victims. "The whole issue of the culmination of the DNS servers being [disabled] is like pulling off a Band-Aid really slowly. I'd like to see it ripped off even if it hurts because at least the ISPs would immediately [see] any loose change that has to be mitigated instead of this one-sie, two-sie mitigation." says Paul Ferguson, senior threat researcher at Trend Micro, which was part of the Operation Ghost Click team that took down the DNSChanger botnet.

Ferguson says it was really the only way to ease the fallout from the takedown. "This was the right call for a stopgap to keep those machines from going down when they took down this criminal enterprise," Ferguson says. "I would like to see them educate people more than they have on this problem. My fear is that we patch a flat tire without telling them they had a flat tire, and now we're about to rip off the patch."

It most likely will be consumers and small businesses left in the lurch on March 8 -- or later, depending on whether the deadline gets extended, which is under consideration. According to a report today on Krebs On Security, the Department of Justice and NASA have petitioned the U.S. District Court for the Southern District of New York to keep the temporary DNS servers online through July 9 of this year.

Either way, there still will be orphaned bots affected. "They will not be able to resolve any DNS host names ... And the problem is you can't Google for a fix if you can't resolve to Google," says Brian Jacobs, senior product manager for Ipswitch's network management division.

"I suspect the leftovers inundated with the problem will be consumers. Most corporations have some level of due diligence ... it's going to be the consumer who ends up dinged on this," Jacobs says.

The DNSChanger Working Group has information on its website on how to test for and clean your machine of the malware, and ISPs are supposed to be reaching out to their customers. But with hundreds of thousands of machines at last count still infected, many users just either don't know or don't care that they are still bots.

The worry is that the feds didn't educate the public well enough. Trend Micro's Ferguson says that initially there was some discussion of having the FBI push a "you are getting this message because you are infected" page rather than setting up the temporary DNS servers for the bots. But that approach wasn't selected.

Aside from redirecting the victims to the phony DNS servers, DNSChanger malware also attempts to reach devices on a victim's small office or home network running DHCP, such as a home router. If the router was using a default username or password, the malware then changes the router's DNS settings to the rogue ones, which could affect even uninfected computers connected to that network.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/27/2012 | 9:22:12 AM
re: Orphaned Bots Facing Internet Blackout

The DNSChanger Working Group has information on its website on how to test for and clean your machine of the malware, and ISPs are supposed to be reaching out to their customers.
svdude
50%
50%
svdude,
User Rank: Apprentice
2/23/2012 | 7:28:32 PM
re: Orphaned Bots Facing Internet Blackout
Security researchers and government worker bees-have no clue as to how people really use computers and this is why it's taking them much longer than planned to clean up. -Need proof? -Look at how easy it is to use internet security software.

They spent many years chasing this botnet down and then got "buck fever" and implemented to a very ineffective solution in a rush to publicly declare victory.

Now they face public ridicule as their remediation plan continues to fail miserably.
CiscoJones
50%
50%
CiscoJones,
User Rank: Apprentice
2/23/2012 | 12:24:51 PM
re: Orphaned Bots Facing Internet Blackout
Does anyone know why the "You are receiving this message because you are infected" message was rejected?- This looks like an opportunity to educate a captive audience on some basic computer security principals and provide a link so people and businesses can fix their PCs and access points.- These unpatched devices are targets for a new bot to move in and start the process over again.- Kicking the can down the road should not be an option.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.