Botnet closure to cut 300,000 people off the web

FBI to pull the plug on infected machines on Monday

4 Jul 2012

The FBI will pull the plug on DNSChanger servers next week, leaving thousands of people without internet access - but such "tough love" is necessary to protect the internet, say experts.

The DNSChanger malware and botnet was shutdown in November last year, following an FBI-led investigation that saw the US police agency confiscate the accused cybercriminals' hardware.

DNSChanger does exactly what the name suggests, fiddling with DNS settings to maliciously redirect users via its command and control servers to different sites. On Monday, the FBI will shut down those servers, leaving as many as 300,000 PCs worldwide - and 19,589 in the UK, as of last month - with the wrong DNS settings and unable to access the web, unless they take the unusual step of directly entering IP addresses into the browser.

What to do

Find out if you have an infection by running your antivirus, visiting a DNSChanger checking site or downloading a specialised tool to uncover and clean up the infection at the following sites:

F-Secure's DNSChanger checker

BitDefender's DNSChanger Detector

DNS Changer Working Group tools

Security firm BitDefender said infections remain at government organisations as well as Fortune 500 companies, but F-Secure's security advisor Sean Sullivan expects most of the afflicted computers will be further down the chain. "My suspicion is a lot of those [infected] machines are going to be tucked away in small/medium businesses, and no-one’s really paying close attention to it," Sullivan said. "Some sort of group-use machine that has gotten infected and no one is taking responsibility for the thing."

Consumers could of course also be affected, but many have already been alerted, as ISPs, Google and Facebook have been warning users.

The FBI was initially going to turn off the servers in March, but extended the clean-up period until Monday. That doesn't look likely to be extended again - and Sullivan doesn't think it should be, saying it was time for "tough love".

"The botnet is pretty much disabled, but if your machine is infected, it’s compromised – it’s an indication that the person who owns the computer doesn’t know it’s infected," he explained. "They never learn to patch up the machine, so it’s vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect."

"Cutting them off would force them to get ahold of tech support and reveal to them that they’ve been running a vulnerable machine that’s been compromised," he added.

David Emm, security researcher at Kaspersky Labs, agreed that it was worrying if anyone has missed an infection after this long - many months after it's been made public and been added to antivirus checkers. "If anybody hasn’t cleaned up, it’s a little bit worrying," he said. "Certainly, if it’s an organisation, you might wonder – it’s a bit scary if a business has defences in place that haven’t flagged this up six months down the line."

Infections remain

Still, while hundreds of thousands of PCs remain infected, there were many more when the FBI first started the operation. "It’s still a significant number, but it’s way behind the four million that was the estimate right at the start of this operation," Emm said.

If a PC does refuse to connect to the web on Monday, it's no reason to panic. After removing the malware (see sidebar), DNS settings simply need to be reset. "It’s not going to be completely hopeless, but IT desks better be ready," said Sullivan.

Emm warned IT support desks to expect confusion from users on Monday. "If they didn’t know at that point that they were infected, they may not immediately know on Monday, either."

Read more about: