US ISPs Continue To Support DNSChanger Redirection Servers 87
darthcamaro writes "On Monday of this week, the primary servers that kept those infected with the DNSChanger malware were taken offline. It's a story that sparked lots of media hype with people claiming that hundreds of thousands of people could lose their Internet access. As it turns out, major U.S. ISPs including Verizon, Cox, AT&T and CenturyLink all kept their own DNSChanger servers online, protecting any users from losing their access."
What's the big deal? (Score:5, Insightful)
Don't all of those ISPs play that dirty trick of redirecting failed DNS lookups to advertising? Why don't they just set their DNSchanger servers to redirect all lookups to some page telling the user that their system is infected and how to download a tool to fix it?
Sure it will break everything but http(s) but if they are happy to do it for money why aren't they happy to do it for the common good?
Re: (Score:3, Insightful)
Re: (Score:1)
Because if they meddled with end-user functionality they'd be swamped with angry customers demanding service and help.
"You need help? There's a link on your screen. Click it, install the Cleaner program, and run it. Have a nice day. ::click::"
Problem solved.
Re: (Score:1)
I can tell you have never worked a day supporting CLNK customers.
Re:What's the big deal? (Score:5, Insightful)
The big deal is they are keeping infected computers online.
These should have been cut off day one, with a message 'call your isp' and allow NO other traffic to protect the users data.
Re: (Score:3)
Torrents != virus.
Re: (Score:3)
GP is actually right. There was never any justifiable reason to continue run these DNS servers, and they should have just been shut down when the FBI found them.
The client machines were infected, and there is no reason to assume the DNSChanger was the only virus or malware running on the boxes. The best bet is to just unplug the DNS servers and let the chips fall where they may.
Yeah, all of a sudden lots of people would find that they can't resolve anything. So what?
I suspect the reason they didn't was t
Re: (Score:2)
You know, that's been done before, and (hopefully) will be done again.
I forget the name of the malware, but there was a nasty that basically took over IP networking on Windows machines, and pumped everything through somewhere in Eastern Europe.. ... then the server went down. Hopefully, it was someone saying "Hmmm, malware, unplug the network cables."
And about a dozen people dragged their home computers in to me to fix. Well, theirs, their friends, family, and apparently th
Re: (Score:2)
Re: (Score:2)
I think a page saying you have a security problem on your PC and to please call us would make customers happy.. "they care about us" I know they don't really, but it would make many feel that way.
Re:What's the big deal? (Score:4, Interesting)
Re: (Score:2)
Western society is in a death spiral, and Idiocracy is coming far faster than predicted.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
I guess you don't see the obvious problems with that...
1) There's plenty of existing malware that does that already. "Click here to clean your computer". Some even give a friendly 800 (or 900) number to call for "advice", so you can call and give your credit card number of the phone because it's "so much safer".
2) When they redirect a residential customer to the security problem page, it's not going to just redirect the infected machine, it will redirect all
Re: (Score:2)
2) When they redirect a residential customer to the security problem page, it's not going to just redirect the infected machine, it will redirect all of your machines.
No it won't. Only the infected machines are using the bogus nameservers.
Re: (Score:2)
In his case, the implication was for any malware. Definitely they could have done it for this specific case. It looks like they just went for the easier option of a static route and put the IP(s) on their own DNS server(s).
Re: (Score:1)
you have no idea what you are talking about. i have worked for several regional ISPs and when we notice virus traffic originating from your computer/router you will either get an email/call from us notifying you that you need to resolve the issue or we will disconnect your service, or we just disconnected your service and call you to inform you why this happened.
Re: (Score:2)
hmmmm... protect the public, or protect profit... protect the public, or protect profit... oh wait, that's an easy decision!
Re: (Score:2)
No they are not. They are contacting those customers, duh !
Re: (Score:2)
Sure it will break everything but http(s) but if they are happy to do it for money why aren't they happy to do it for the common good?
Since when is there money to be made by supporting the common good?
Re: (Score:2)
I guess the problem is when they do that they'll get swamped with support requests by the most clueless of their user base. Who is going to handle all these phone calls? That costs quite a bit of money. Setting up another server to handle these DNS requests is cheap, though. So that's what they are doing.
Re: (Score:2)
Yep, that's what a lot people think and it sure fits the stereotypical corporate mentality. But, it really isn't that hard to mitigate. Set the servers up to redirect to a warning page for only 1% of the ISP's address range per day or something in that ballpark. That reduces the flood of support calls down to something manageable.
Re: (Score:2)
That's a good approach, but there were so many warnings already and for such a long time. These people don't care about their computers at all. You redirect them to a warning page, maybe they'll call you and you'll get them to fix it. That one problem. What about the other malware on their machines? What about the malware they'll get next week?
Your best hope is that sooner or later they'll replace their desktops with iPads.
Re: (Score:1)
This is my cousin exactly. She is 14 and fscking stupid. She has a thing that posts on her facebook everyday that is clearly a highjack and I always comment "...and hacked." then "change your password." It's been almost 2 months. I bet you can guess what she hasn't done. I been considering just changing her password myself and not telling her what it is.
Re: (Score:1)
Because everyone is irrational and cancels their service when there internet goes out just once.
Re: (Score:1)
Oh for the love of god (Score:5, Insightful)
Re:Oh for the love of god (Score:5, Insightful)
Knock them off the internet already so they know they have a problem. DNSChanger is probably not the only issue they have.
This. I have *never* seen a compromised system with just one piece of badware. These people are probably running around with dozens, if not hundreds of pieces of evil in their machines.
Knocking them off the net would be doing them a favour.
--
BMO
Re:Oh for the love of god (Score:5, Informative)
Any algorithm to decide what machine is infected remotely is not going to be any smarter than the designer, and probably a lot less so.
The thing is that there is no algorithm at work at all except the infection itself.
If you paid attention at all to the goings-on of this issue at all, you'd know that DNS Changer does what it's titled to do: point at a (formerly) criminally controlled set of DNS machines. These have since been commandeered by authorities and maintained. The infected machines are being artificially propped up. To "disconnect" people, all they have to do is turn these off and let the end users fend for themselves.
So let me repeat: there is no "remote turnoff" being done here. The computers are left without a DNS when the fake DNS machines are turned off. If your computer does not point at a valid DNS when they turn off the fake DNS, it is 100 percent guaranteed that you have the DNS Changer malware.
--
BMO
Re: (Score:2)
Re:Oh for the love of god (Score:4, Informative)
All a user would need to do (assuming they were literate enough to get networking..and not know they were infected, is remap the DNS section of their IP config to resolv the issue?
If it was really, really simple, yes. But I suspect that the authors of DNS Changer already thought of that and will prevent you from simply changing it manually, or at least run a scheduled task to keep it set wrong (the Macintosh variant does this with a crontab).
It was spread as a "video codec" on porn sites and then as "funny video" sites, which I guess is more popular. The internet was built on porn and lolcats.
In any case, if you have an updated malware removal tool, it should remove it. Removal is effective.
If your DNS servers are in these range, then you are affected.
64.28.176.1 - 64.28.191.254
67.210.0.1 - 67.210.15.254
77.67.83.1 - 77.67.83.254
85.255.112.1 - 85.255.127.254
93.188.160.1 - 93.188.167.254
213.109.64.1 - 213.109.79.254
--
BMO
Re: (Score:2)
Re: (Score:1)
Are you going to pay them for the calls that are going to be ringing off the hook! My guess is the phone system will be so overloaded it would probably crash and prevent legitimate calls from coming through.
Are you going to pay their legal fees when business users sue due to lost income? Yes it was both forseen and the ISP has a duty of care, and has even excersized this supporting its users. A lawyer would be drooling if you said fuck it and cut the cord.
It is a business decision and not a moral or philoso
Re: (Score:2)
I truly do not understand how so many people can be infected yet not know it. I have had a virus, Ive had trojans, Ive been hit with it all, but to the extent that my machine was messed up or being controlled by someone else? hardly the second my mother has more than a few tabs open and her game slows down, i get a call to look at it, usually it is nothing, but once or twice there has been a
Re: (Score:1)
It is a business decision and not a moral or philosophical one.
These are not mutually exclusive. It is a business decision, but it is also a moral one. Any decision that affects others (and arguably some that don't) are moral decisions. Pretending otherwise is a wonderful excuse for avoiding moral responsibility, though...
Re: (Score:1)
Well a corporations job is to make money. Its moral and ethical guidelines is to increase shareholder wealth on a quarterly basis by constantly raising the share price.
It does not serve them well if some companies get hurt with no internet access and it is stealing from them otherwise. Liability is real as older computers without updates typically are corporate owned systems in places like managerial offices and other places where they can't be cleaned easily without a local IT staff. They could lose money
Re: (Score:2)
Well a corporations job is to make money. Its moral and ethical guidelines is to increase shareholder wealth
Full Stop. You can increase shareholder wealth many ways. Dividends work well even when stock prices are steady or even dip a little. Carry on...
on a quarterly basis by constantly raising the share price.
Re: (Score:3)
I second that too. That kind of malware is never alone on most computers. The job of an ISP is to provide internet access, not holding customer's hands. Tech support is one thing, but an infected machine is a risk for *every* customer of said ISP. What if the ISP's email servers get banned because some machine is sending spam? Any responsible ISP will make sure either a) the problem's fixed or b) the customer's access is bloqued until it's fixed. Keeping those machines online is irresponsible.
Booorrring (Score:1)
Pretty altruistic of them! (Score:3)
Re: (Score:2)
So... (Score:1)
Why? (Score:5, Insightful)
"Loose"? (Score:5, Funny)
That was the problem initially, the computers were too loose and malware got in.
Re: (Score:2)
typo in text loose should be lose (Score:2)
typo in text loose should be lose
Commercial Decision (Score:5, Insightful)
"...protecting any users from losing their access."
This had nothing to do with protecting users. This was because the ISPs didn't want to be overwhelmed with support calls and have to deal with X ignorant and pissed off customers who don't know DNSChanger from a hot dog and who will just blame the ISP for any outage.
The real story (Score:2)
What will it take? (Score:4, Insightful)
What will it take for people to start taking security seriously? One of these days a major botnet will wipe a few million hard drives with no warning. I'm not convinced that even that would do it.
Re: (Score:3)
I sincerely doubt it. The days of malware simply destroying data are behind us. It's far more useful (and profitable!) to pwn computers and steal information, serve ads, send spam, preform DDoS attacks... you get the idea.
A swarm of computers with garbled drives has no value. A swarm of computers in a botnet you own is infinitely more valuable.
Re: (Score:2)
Re: (Score:2)
Yes, malware is mostly there for a financial incentive, but I can see several scenarios where a large botnet would get wiped. Suppose...
Someone includes self-destruct code that will wipe computers if the network is taken over of the control node are shut down. The idea would be to blackmail security organizations into leaving the botnet alone.
Or someone has a botnet encrypt drives and then make them pay to get the decryption key. A code bug or takedown of the control network causes all the keys to be lost
Make ISPs responsible (was Re:What will it take?) (Score:2)
Re: (Score:1)
this will be bad news though, we should be trying to force the ISP to keep their hands OFF our data.
Re: (Score:2)
Re: (Score:2)
Companies plan to spend 4.5 percent more on computer security this year than last year, according to results of a Morgan Stanley survey of 100 U.S. chief information officers, released July 13.
They are taking it seriously, they are just doing it wrong.
Never attribute to malice that which is adequately explained by stupidity.
Re: (Score:2)
Not even a bot net wiping a few milllion drives will do it. It'll take a Terminator and Skynet to get through to the damn idiots and at that point it's easier to nuke it from orbit
AA&T internet wasn't working yesterday (Score:2)
We have AT&T (bellsouth.net) and yesterday internet access was spotty at best. Some sites loaded right away as usual, some never loaded, some now and then. Ebay was a lost cause, google was ify and google hits went nowwhere. At work we have comcast and it was business as usual.
At home it made no difference which computer I used, MAC, PC, Linux all had issues. My router / DSL modem is a Motorola.
Re: (Score:2)
I've got my home network set up to bypass my ISP's mediocre servers and use the fastest public DNS servers I could find.
Of course I also checked all our computers before D-Day happened. They were clean.
But my ISP doesn't get to decide how my DNS queries resolve.
because... (Score:1)
No Need for Gov't Intervention (Score:3)
Just shows that the Internet can take care of itself, and government meddling is not needed.
DNSSEC-enabled stub resolvers or browsers (Score:2)
DNSSEC-enabled stub resolvers on the client and/or browsers would have stopped this from ever becoming a problem. Of course, the bad guys would have just disabled this feature and/or replaced the root key on the clients, if they had access. However, it sounds like much of the time it was a vulnerable router that had the dns settings changed. In this case, the clients would have detected false/forged DNS records and stopped the problems sooner..