US ISPs Continue To Support DNSChanger Redirection Servers

darthcamaro writes "On Monday of this week, the primary servers that kept those infected with the DNSChanger malware were taken offline. It's a story that sparked lots of media hype with people claiming that hundreds of thousands of people could lose their Internet access. As it turns out, major U.S. ISPs including Verizon, Cox, AT&T and CenturyLink all kept their own DNSChanger servers online, protecting any users from losing their access."

What's the big deal?

[Jah-Wren Ryel]

Don't all of those ISPs play that dirty trick of redirecting failed DNS lookups to advertising? Why don't they just set their DNSchanger servers to redirect all lookups to some page telling the user that their system is infected and how to download a tool to fix it?

Sure it will break everything but http(s) but if they are happy to do it for money why aren't they happy to do it for the common good?

Re:

[NettiWelho]

Because if they meddled with end-user functionality they'd be swamped with angry customers demanding service and help. They take the cheap route that doesnt require additional effort on their part and lessens the incoming workload.

Re:

[Anonymous Coward]

Because if they meddled with end-user functionality they'd be swamped with angry customers demanding service and help.

"You need help? There's a link on your screen. Click it, install the Cleaner program, and run it. Have a nice day. ::click::"

Problem solved.

Re:

[Anonymous Coward]

I can tell you have never worked a day supporting CLNK customers.

Re:What's the big deal?

[nurb432]

The big deal is they are keeping infected computers online.

These should have been cut off day one, with a message 'call your isp' and allow NO other traffic to protect the users data.

Re:

[nurb432]

Torrents != virus.

Re:

[icebike]

GP is actually right. There was never any justifiable reason to continue run these DNS servers, and they should have just been shut down when the FBI found them.
The client machines were infected, and there is no reason to assume the DNSChanger was the only virus or malware running on the boxes. The best bet is to just unplug the DNS servers and let the chips fall where they may.

Yeah, all of a sudden lots of people would find that they can't resolve anything. So what?

I suspect the reason they didn't was t

Re:

[JWSmythe]

You know, that's been done before, and (hopefully) will be done again.

I forget the name of the malware, but there was a nasty that basically took over IP networking on Windows machines, and pumped everything through somewhere in Eastern Europe.. ... then the server went down. Hopefully, it was someone saying "Hmmm, malware, unplug the network cables."

And about a dozen people dragged their home computers in to me to fix. Well, theirs, their friends, family, and apparently th

Re:

[John Bokma]

Yup, if they don't they lose customers (or that's the idea). For the same reason a lot of ISPs do nothing about infected computers in their net work. No matter how much spam they send out or how many requests they do to your web servers. A smaller group of ISPs (e.g. MediaTemple, to name just one) have no problem at all with spammers in their network (and/or make reporting spammers extremely hard), as long as the customer pays (and the complainer: not). Spam etc. is plenty because people accept money to lo

Re:

[nurb432]

I think a page saying you have a security problem on your PC and to please call us would make customers happy.. "they care about us" I know they don't really, but it would make many feel that way.

Re:What's the big deal?

[John Bokma]

You and me both. But I know plenty of people who consider themselves "power users" and would consider such a move patronizing (and an accusation that they made a mistake; how could they!). And I know even a few who don't care about malware on their computer as long as it isn't too much in the way (some even call it cool to be a part of one or more botnets...).

Re:

[WhitetailKitten]

This reminds me of the shit on Facebook where people like pages marked, basically, "I have never read a book in my life and I'm proud of it."

Western society is in a death spiral, and Idiocracy is coming far faster than predicted.

Re:

[ganjadude]

true, I hate having to deal with tech support and I get annoyed at people trying to force me to do things. having said that, having a default page that tells you your machine is messed up is a little bit different. I say hell, even let them keep using it, just make them see the msg and hit ok (frames maybe?) I know the hardcore crowd will claim the ISPs are hijacking or snooping or whatever, yeah, thats exactly whats going on in my scenario, and probably one of the only few exceptions to snooping I would

Re:

[CheshireDragon]

Then those ego maniacs need a slap in the face. If they were in fact a power user they wouldn't have let this happen to their system.

Re:

[JWSmythe]

I guess you don't see the obvious problems with that...

1) There's plenty of existing malware that does that already. "Click here to clean your computer". Some even give a friendly 800 (or 900) number to call for "advice", so you can call and give your credit card number of the phone because it's "so much safer".

2) When they redirect a residential customer to the security problem page, it's not going to just redirect the infected machine, it will redirect all

Re:

[Jah-Wren Ryel]

2) When they redirect a residential customer to the security problem page, it's not going to just redirect the infected machine, it will redirect all of your machines.

No it won't. Only the infected machines are using the bogus nameservers.

Re:

[JWSmythe]

    In his case, the implication was for any malware. Definitely they could have done it for this specific case. It looks like they just went for the easier option of a static route and put the IP(s) on their own DNS server(s).

Re:

[Anonymous Coward]

you have no idea what you are talking about. i have worked for several regional ISPs and when we notice virus traffic originating from your computer/router you will either get an email/call from us notifying you that you need to resolve the issue or we will disconnect your service, or we just disconnected your service and call you to inform you why this happened.

Re:

[v1]

The big deal is they are keeping infected computers online.

These should have been cut off day one, with a message 'call your isp' and allow NO other traffic to protect the users data.

hmmmm... protect the public, or protect profit... protect the public, or protect profit... oh wait, that's an easy decision!

Re:

[devitto]

No they are not. They are contacting those customers, duh !

Re:

[icannotthinkofaname]

Sure it will break everything but http(s) but if they are happy to do it for money why aren't they happy to do it for the common good?

Since when is there money to be made by supporting the common good?

Re:

[Asic Eng]

I guess the problem is when they do that they'll get swamped with support requests by the most clueless of their user base. Who is going to handle all these phone calls? That costs quite a bit of money. Setting up another server to handle these DNS requests is cheap, though. So that's what they are doing.

Re:

[Jah-Wren Ryel]

Yep, that's what a lot people think and it sure fits the stereotypical corporate mentality. But, it really isn't that hard to mitigate. Set the servers up to redirect to a warning page for only 1% of the ISP's address range per day or something in that ballpark. That reduces the flood of support calls down to something manageable.

Re:

[Asic Eng]

That's a good approach, but there were so many warnings already and for such a long time. These people don't care about their computers at all. You redirect them to a warning page, maybe they'll call you and you'll get them to fix it. That one problem. What about the other malware on their machines? What about the malware they'll get next week?

Your best hope is that sooner or later they'll replace their desktops with iPads.

Re:

[CheshireDragon]

"These people don't care about their computers at all."
This is my cousin exactly. She is 14 and fscking stupid. She has a thing that posts on her facebook everyday that is clearly a highjack and I always comment "...and hacked." then "change your password." It's been almost 2 months. I bet you can guess what she hasn't done. I been considering just changing her password myself and not telling her what it is.

Re:

[CheshireDragon]

That's right, AC you are so super smart (clear sarcasm)

Because everyone is irrational and cancels their service when there internet goes out just once.

Re:

[CheshireDragon]

because there is no money to be made in 'the common good.'

Oh for the love of god

[0racle]

Knock them off the internet already so they know they have a problem. DNSChanger is probably not the only issue they have.

Re:Oh for the love of god

[bmo]

Knock them off the internet already so they know they have a problem. DNSChanger is probably not the only issue they have.

This. I have *never* seen a compromised system with just one piece of badware. These people are probably running around with dozens, if not hundreds of pieces of evil in their machines.

Knocking them off the net would be doing them a favour.

--
BMO

Re:Oh for the love of god

[bmo]

Any algorithm to decide what machine is infected remotely is not going to be any smarter than the designer, and probably a lot less so.

The thing is that there is no algorithm at work at all except the infection itself.

If you paid attention at all to the goings-on of this issue at all, you'd know that DNS Changer does what it's titled to do: point at a (formerly) criminally controlled set of DNS machines. These have since been commandeered by authorities and maintained. The infected machines are being artificially propped up. To "disconnect" people, all they have to do is turn these off and let the end users fend for themselves.

So let me repeat: there is no "remote turnoff" being done here. The computers are left without a DNS when the fake DNS machines are turned off. If your computer does not point at a valid DNS when they turn off the fake DNS, it is 100 percent guaranteed that you have the DNS Changer malware.

--
BMO

Re:

[ganjadude]

I have not been keeping up on this, so If I read you correctly, All a user would need to do (assuming they were literate enough to get networking..and not know they were infected, is remap the DNS section of their IP config to resolv the issue? or will this virus re-remap it back to the bogus dns?

Re:Oh for the love of god

[bmo]

All a user would need to do (assuming they were literate enough to get networking..and not know they were infected, is remap the DNS section of their IP config to resolv the issue?

If it was really, really simple, yes. But I suspect that the authors of DNS Changer already thought of that and will prevent you from simply changing it manually, or at least run a scheduled task to keep it set wrong (the Macintosh variant does this with a crontab).

It was spread as a "video codec" on porn sites and then as "funny video" sites, which I guess is more popular. The internet was built on porn and lolcats.

In any case, if you have an updated malware removal tool, it should remove it. Removal is effective.

If your DNS servers are in these range, then you are affected.

        64.28.176.1 - 64.28.191.254
        67.210.0.1 - 67.210.15.254
        77.67.83.1 - 77.67.83.254
        85.255.112.1 - 85.255.127.254
        93.188.160.1 - 93.188.167.254
        213.109.64.1 - 213.109.79.254

--
BMO

Re:

[ganjadude]

Thanks for the info, I am personally good but This will be useful when I get a phone call telling me all of a sudden my grandma cant connect

Re:

[Billly Gates]

Are you going to pay them for the calls that are going to be ringing off the hook! My guess is the phone system will be so overloaded it would probably crash and prevent legitimate calls from coming through.

Are you going to pay their legal fees when business users sue due to lost income? Yes it was both forseen and the ISP has a duty of care, and has even excersized this supporting its users. A lawyer would be drooling if you said fuck it and cut the cord.

It is a business decision and not a moral or philoso

Re:

[ganjadude]

except for chances are those 1st 10% would most likely be reinfected before they had enough time to worry about it.

I truly do not understand how so many people can be infected yet not know it. I have had a virus, Ive had trojans, Ive been hit with it all, but to the extent that my machine was messed up or being controlled by someone else? hardly the second my mother has more than a few tabs open and her game slows down, i get a call to look at it, usually it is nothing, but once or twice there has been a

Re:

[osu-neko]

It is a business decision and not a moral or philosophical one.

These are not mutually exclusive. It is a business decision, but it is also a moral one. Any decision that affects others (and arguably some that don't) are moral decisions. Pretending otherwise is a wonderful excuse for avoiding moral responsibility, though...

Re:

[Billly Gates]

Well a corporations job is to make money. Its moral and ethical guidelines is to increase shareholder wealth on a quarterly basis by constantly raising the share price.

It does not serve them well if some companies get hurt with no internet access and it is stealing from them otherwise. Liability is real as older computers without updates typically are corporate owned systems in places like managerial offices and other places where they can't be cleaned easily without a local IT staff. They could lose money

Re:

[Culture20]

Well a corporations job is to make money. Its moral and ethical guidelines is to increase shareholder wealth

Full Stop. You can increase shareholder wealth many ways. Dividends work well even when stock prices are steady or even dip a little. Carry on...

on a quarterly basis by constantly raising the share price.

Re:

[Hamsterdan]

I second that too. That kind of malware is never alone on most computers. The job of an ISP is to provide internet access, not holding customer's hands. Tech support is one thing, but an infected machine is a risk for *every* customer of said ISP. What if the ISP's email servers get banned because some machine is sending spam? Any responsible ISP will make sure either a) the problem's fixed or b) the customer's access is bloqued until it's fixed. Keeping those machines online is irresponsible.

Booorrring

[Simpson,Homer_Jay]

Next article please

Pretty altruistic of them!

[Immostlyharmless]

On a side note, can anyone tell me why all of the ads I see are for AT&T?

Re:

[Immostlyharmless]

I do believe someone missed the joke :P I promise to make it more obvious next time ;-)

So...

[evafan76]

That's why I didn't get a phone call from my parents asking me to fix their Internet.

Why?

[Technoodle]

This is a fail. The problem will not go away if we keep coddling people that have infected machines.

"Loose"?

[danomac]

It's a story that sparked lots of media hype with people claiming that hundreds of thousands of people could loose their Internet access.

That was the problem initially, the computers were too loose and malware got in.

Re:

[Samantha Wright]

I think the danger is more about them setting their internet access loose on the entire world, maybe? I mean, it must be pretty scuzzy.

typo in text loose should be lose

[Progman3K]

typo in text loose should be lose

Commercial Decision

[sociocapitalist]

"...protecting any users from losing their access."

This had nothing to do with protecting users. This was because the ISPs didn't want to be overwhelmed with support calls and have to deal with X ignorant and pissed off customers who don't know DNSChanger from a hot dog and who will just blame the ISP for any outage.

The real story

[SpaceLifeForm]

The ISPs did not have dedicated servers for DNSChanger, they have been filtering your DNS traffic all along.

What will it take?

[crow]

What will it take for people to start taking security seriously? One of these days a major botnet will wipe a few million hard drives with no warning. I'm not convinced that even that would do it.

Re:

[Scorch_Mechanic]

I sincerely doubt it. The days of malware simply destroying data are behind us. It's far more useful (and profitable!) to pwn computers and steal information, serve ads, send spam, preform DDoS attacks... you get the idea.

A swarm of computers with garbled drives has no value. A swarm of computers in a botnet you own is infinitely more valuable.

Re:

[RoknrolZombie]

Not everyone is motivated exclusively by money. Especially in this age of "online activism", I suspect that at some point someone will be motivated by fame, or (as many posting here at ./) the idea that "people need to be smarter"...eventually someone will produce some malicious code that *will* do irreparable damage to the systems that are compromised. When that day comes people will - as in nature - be forced to adapt or fail.

Re:

[crow]

Yes, malware is mostly there for a financial incentive, but I can see several scenarios where a large botnet would get wiped. Suppose...

Someone includes self-destruct code that will wipe computers if the network is taken over of the control node are shut down. The idea would be to blackmail security organizations into leaving the botnet alone.

Or someone has a botnet encrypt drives and then make them pay to get the decryption key. A code bug or takedown of the control network causes all the keys to be lost

Make ISPs responsible (was Re:What will it take?)

[John Bokma]

Make ISPs responsible (and if they want they can make their customers responsible). Now they can have tens if not hundreds of zombies within their network, knowingly and doing nothing since they might lose customers. Not going to happen; $$$$.

Re:

[foradoxium]

this will be bad news though, we should be trying to force the ISP to keep their hands OFF our data.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[NemoinSpace]

Seriously?
Companies plan to spend 4.5 percent more on computer security this year than last year, according to results of a Morgan Stanley survey of 100 U.S. chief information officers, released July 13.
They are taking it seriously, they are just doing it wrong.
Never attribute to malice that which is adequately explained by stupidity.

Re:

[fast turtle]

Not even a bot net wiping a few milllion drives will do it. It'll take a Terminator and Skynet to get through to the damn idiots and at that point it's easier to nuke it from orbit

AA&T internet wasn't working yesterday

[scharkalvin]

We have AT&T (bellsouth.net) and yesterday internet access was spotty at best. Some sites loaded right away as usual, some never loaded, some now and then. Ebay was a lost cause, google was ify and google hits went nowwhere. At work we have comcast and it was business as usual.
At home it made no difference which computer I used, MAC, PC, Linux all had issues. My router / DSL modem is a Motorola.

Re:

[jnork]

I've got my home network set up to bypass my ISP's mediocre servers and use the fastest public DNS servers I could find.

Of course I also checked all our computers before D-Day happened. They were clean.

But my ISP doesn't get to decide how my DNS queries resolve.

because...

[otaku244]

It's cheaper to keep it broken than to get customers to go fix it. Duh.

No Need for Gov't Intervention

[hemo_jr]

Just shows that the Internet can take care of itself, and government meddling is not needed.

DNSSEC-enabled stub resolvers or browsers

[jroysdon]

DNSSEC-enabled stub resolvers on the client and/or browsers would have stopped this from ever becoming a problem. Of course, the bad guys would have just disabled this feature and/or replaced the root key on the clients, if they had access. However, it sounds like much of the time it was a vulnerable router that had the dns settings changed. In this case, the clients would have detected false/forged DNS records and stopped the problems sooner..