The FBI will turn off the Internet on Monday (or not)

Published: 2012-07-09
Last Updated: 2012-07-09 16:08:02 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

On Monday, the DNS Changer Working group will discontinue providing DNS service to hosts infected with the DNS changer virus. This new item led to a flood of news reports, which IMHO blow the entire affair out of proportion (the headline to this diary entry pretty much reflects a discussion I had today with a non technical person responding to one of these articles). Reading this article, it is likely that you will be one of the people being asked for advice as "how to protect yourself" from this virus. I find it useful to stick to these talking points:

The DNS Changer malware was spreading last year and changed DNS settings in computers it infected. After arresting the group behind this malware, the FBI, as permitted by a court order, worked with ISPs and the DNS Changer Working Group to continue to operate the DNS server that the infected systems pointed to. The hope was to identify and notify as many infected systems as possible. As expected, over the last few months, these efforts had diminishing results. The court order permitting the DNS server is about to expire and as a result, this stand in DNS server will not continue to operate.

If your system is still configured to use the bad DNS server, you will not be able to resolve host names. Even if you removed the malware, it is still possible that you didn't revert the DNS settings change. 

For Windows users, this may actually not matter. According to some reports, Windows may actually revert to the default settings once the DNS server is turned off. If you used the bad DNS server, chances are that various entities tried to notify you. Google for example should have shown you a banner. If you don't see a warning banner when visiting Google, you are not one of the systems identified as infected.

Some ISPs setup their own DNS servers for DNS Changer victims. These DNS servers will remain active for now.

This malware is also old enough where Antivirus, if you run any, should have signatures for it. 

In short: Don't worry. There are estimates of 250,000 infected systems based on data from the DNS changer working group. There are about 2,000,000,000 internet users. So about 0.01% of internet users are infected. In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet.

In a few cases routers may be affected by the change, and the router will use the wrong DNS server. Again: if you are connected to one of these routers, you should have seen warning banners. If you haven't seen warning banners at Google: Don't worry.

Lastly: Tell people to go to (short for DNS Changer Working It has a little test to tell you if you are affected or not. It also got a lot of first hand information about this malware.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

8 comment(s)


Perhaps a stupid question: How would Google know which resolver was used by the client in order to display such a banner?
Because they feed a different IP address to that resolver.
No fair! I wish I could boot 200,000 people with out of date patches and no antivirus off the internet!
What blew this entire affair out of proportion, in my opinion, was the FBI thinking that it was their place to continue DNS services for compromised PCs. How in the world was that determined to be an appropriate response, at the cost of taxpayers, as opposed to letting the PC owners who were probably at fault for the infection in some way anyhow, to lose their internet connectivity immediately and pay to get it fixed?
So, did the FBI really turn off the Internet, I mean, shut down the DNS servers for infected computers?
>> as opposed to letting the PC owners who were probably at fault for the infection in some way anyhow, to lose their internet connectivity immediately and pay to get it fixed?

Compare it to your automobile -- when the "check engine" light goes on, does the computer immediately shut-down the vehicle, forcing one to hire a tow-truck to transport it to a service-area, or does the vehicle continue to operate, in some "degraded" mode, to allow the owner to self-transport the vehicle? In this case, since the FBI now "owns" the "rogue" DNS-servers, lighting-up the "check-engine" light (Google banner) gives the computer-owner the "new" information that there is a problem, that the computer-owner can either self-medicate, or choose to out-source the repair (virus-scan and "undo" the DNS changes).

What could be gained by "killing" an infected computer, given that the attack-vector ("wrong" answers from a DNS-server) has been suppressed?
The car analogy doesn't work particularly well since people whose cars have mechanical trouble aren't for that reason bad drivers who have a greater potential of causing accidents.

People with compromised PCs who go weeks/months without realizing it are more likely to be causing accidents on the ol' information superhighway than those who realize sooner/aren't compromised to begin with.

I think the argument for keeping the DNS servers going for as long as they did is simply economic. The cost of doing so was cheaper than the costs associated with the disruption that would have occurred had the FBI not taken over the rogue DNS servers.

Arguably the amount of time the FBI ran these servers was unnecessary, and I wouldn't dispute that point.

I think over time this will be less of an issue as people migrate to mobile devices that have (theoretically) a reduced capacity for causing harm. We've basically been letting babies play with chainsaws. Those days are (eventually) coming to an end.
The way I understood the decision to babysit the DNS servers was this: at the time of the takeover, there were roughly 800,000 IP's hitting the rogue DNS servers, from all types of networks (commerce, government, academia, consumer, businesses, etc.). Given the types of systems infected, and the number of systems affected, they worried what effect it would have if all of those systems simultaneously "lost" their connectivity. Thus they turned over babysitting duties to a third party which gave those infected a chance to clean up their systems.

No argument that they were running the servers for longer than they really needed to, but I think the intended purpose was met.

Also, my understanding was that all operations of the servers was handled by this international third party, and while the US may have provided some funding, it was not financing the entire operation. But I could be wrong.

Diary Archives