DNSChanger: The disaster that wasn't

DNSChanger: The disaster that wasn't

Summary: DNSChanger may have taken people offline, but seriously who would notice if you can't Tweet your woes?

SHARE:
TOPICS: Security
8

For days we've heard concerns and fears about DNSChanger, malware that would reportedly shut down the Internet for a widely debated number of people around the world. The reality is that DNSChanger is looking like a disaster averted.

The FBI took down the DNSChanger network. DNSChanger malware was created five years ago. The plan: Change DNS settings of infected computers and point to rogue servers. The FBI converted the rouge servers into legit DNS machines, set a deadline of today for the shutdown and set a working group to keep people updated.

More: What to do if the Internet stops working today and you can no longer read this article | Five reasons DNSChanger victims deserve to lose the internet

Someone had to take the DNSChanger hit today. Rest assured the tech press is desperately trying to find these people. The problem: If you were hit by the DNSChanger malware it's not like you'd be able to Tweet for help. You'd be offline and no one would notice. You'd be a tree falling in the forest.

dnschanger

Here are a few CNET links to help folks out---assuming you can actually read this of course: 

By country, the DNSChanger risk was concentrated in the U.S., according to FBI stats. More than 45,000 machines were hit by DNSChanger. Italy had nearly 22,000 machines infected and India had more than 19,000 systems hit with DNSChanger. Great Britain had more than 13,000 machines infected and Australia nearly had 7,000.

Add it up and the DNSChanger bug has a Year 2000 bug feel to it. You expect digital disaster and then go "umm that was it?" That reaction isn't to diminish the work behind the scenes to minimize the problem, but let's face it: You rarely see digital Armageddon coming.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Much Ado About Not Much

    The FBI was initially claiming that 64K systems may have been affected in the US. There are an estimated 223.81 MILLION PCs in the US. This maths out to .0285% of systems that may have been affected. The media totally blew this out of proportion and I have not seen a single article that bothered to add any context to the reported numbers.

    It really makes one wonder how often the drive-by media does this with the rest of the "news".
    Uber Dweeb
  • Good Gravy!

    If the rogue sites were taken down 5 years ago, this implies that infected machines are at least five years old. How many of them can still be working?
    z2217
    • Quite a few

      PC easily go for more than 5 years. We have lots of them around at work. I just retired a Pentium M based system running XP, it had 2 Gigs of memory. The core I believe was based on Pentium 4.
      DevGuy_z
  • Kudos to those who worked to minimize the risk

    The digital Armageddon that you are trying to point out have not turned out to what the creator intended since there are good guys who worked behind the scene to minimize the risk. Imagine if they have not put up a temp server to host the dns queries and instead have just kept mum, imagine those affected.

    BTW, one person is not tied to one machine, they can still tweet their experience if they have been affected. People now have internet access at work, home, mobile, internet cafe, etc.
    VhinzSanchez
    • DNS servers

      "guys who worked behind the scene to minimize the risk" -@VhinzSanchez

      I think not all security conscious individual will agree that creating a temporary server to redirect the infected machines to the correct URL is the right way to do this.

      C&C servers should've redirected the machines to a simple HTML site warning the user that the machine he currently used is infected with TDSS, DNSChanger, Alureon,Tidserv or whatever name you call that piece of malware. By then the user of infected machines will try to fix the problem. This saves the privacy of infected users, and also saves some expensive electric bill for those servers which has probably cost more than 25,000 US$ which was running for more than 6 months.

      One of our machines at work was infected by a banking trojan, SpyEye, an advanced malware which can even search a system for Zeus malware and will wipe out Zeus if found. I only discovered SpyEye when our network connects to zinkhole.org which is a non-profit org, and further investigation showed the "phoning home" of SpyEye is now directed to zinkhole.org I am not happy with this help of zinkhole, how will I know if the screenshots and keylogs and stolen data of SpyEye will not be used in criminal acts by the admins of zinkhole with servers located at Czech republic?

      Good news should travel fast, bad news should travel faster. -Bill Gates
      Martmarty
      • As I've said, "Minimize" the risk

        while security vendors are working on something to successfully resolve the problem. It might be a bandaid solution but have successfully disabled the malware. They also have gone public about it to be sure they're heard.

        I agree on your idea that they should have simply redirected DNS traffic elsewhere but they have chosen to use the their server to serve dns queries (effectively disabling the malware...hopefully) so as not to cut-off the internet on a wide basis. It might not be the solution to every malware that will infect us but hey, it worked here. Maybe some has been affected but the vast majority escaped.
        VhinzSanchez
      • zinkhole

        Martmarty, you shouldn't be worried about. Zinkhole.org is cooperating in IFA project: https://www.ifraudalert.org/whoweare.aspx
        zinkhole
  • Overhype about nothing

    It was amazing how the media saw it all as a massive threat (I saw a fair few "virus threatens Internet" headlines around online and in papers.

    If I remember the exploit from way back when, it was a problem with DNS itself, wasn't it? A security hole that could be exploited with DNS hijacking? A patch for Windows, Mac, Linux... any and every operating system was quickly made, but not everybody is attuned to updating their OS (at home and business levels).

    It would have been that minority that would have been infected. These people who didn't know (or didn't care) about system security, try to connect and get nowhere.
    dmh_paul