Will the FBI close down your online business this March?

In tackling the DNSChanger botnet, the FBI may take a load of businesses offline. Davey Winder is, unsurprisingly, anxious...

By Davey Winder, 17 Feb 2012 at 12:32

gallery

Even though the botnet behind the DNSChanger Trojan was dismantled towards the end of last year, a huge number of enterprises appear to still be infected.

So what's the problem if the power behind the Trojan has been hauled off to jail? Well how about the small matter of the FBI apparently insisting it will seek to disconnect any computer still found to be infected with DNSChanger on 8 March?

DNSChanger was one of the most malicious of Trojans to hit businesses last year, infecting around 4 million computers globally. It worked by changing the host system's Domain Name Server (DNS) settings to point them at assorted advertising and often malicious sites via the now dismantled botnet.It also made changes to ensure that infected systems could no longer access security vendor sites in order to get help with removal of the thing.

DNSChanger was one of the most malicious of Trojans to hit businesses last year.

It was a typically clever bit of malware and one that proved to be pretty successful, allegedly netting the Estonian gang behind it upwards of £8 million in profit. It did all of this by simply changing the NameServer Registry key value to a custom IP address upon installation of the malicious executable.

But, I have to ask on your behalf once again, why does any of this actually matter now the command and control botnet that was handling the DNS diversions has been dismantled and no longer exists, so that those infected computers cannot be pointed towards the nefarious sites? That's where the FBI comes in.

The botnet itself was uncovered after a co-ordinated attack on the malware infrastructure. Law enforcement authorities and service providers effectively reverse engineered the botnet and alerted customers whose machines were infected with the Trojan.

1 2

Email to a friend

Print this page

< Previous Security : Analysis & Insight Next >

BYOD; get advice on managing mobile devices in your organisation

1 comments

You need to Login or Register to comment.

Seriously?

Oh, come on. "The FBI is closing down your business." You're seriously going to try to spin it this way? Really?

These computers are not being "removed from the internet." They're still connected to the internet. They're just misconfigured and need to be corrected. That's not the FBI's problem. It's the owners' problem. It's not the FBI's responsibility to maintain DNS servers for the benefit of people too lazy to do basic maintenance.

"...any business whose computers are still infected with the Trojan, and therefore still using this surrogate DNS service, will find themselves removed from the internet entirely..."

Exaggerate much? Only the individual infected machines will have trouble connecting, not the entire business. This primarily means workstations, not servers. If the servers stay up, email stays up; web services stay up; VPN stays up, and so on. (Unless you're running all Windows servers, and they're all still infected with a well-known botnet trojan after half a year, and if that's the case frankly you deserve what you get.)

"...half of all major government agencies likewise carry at least one infected machine."

Ooh, big crisis there. One computer might fail to connect in March, or not, at any given government agency.

"Now it looks like, for a large number of businesses anyway, that the FBI may just beat [Anonymous] to [taking down the internet].

Again, exaggerate much? There are 400K machines still using the FBI's DNS server. Granted that's a big number, but it's still a drop in the bucket compared to the total machines on the internet. The internet will not be "taken down" if the FBI shuts off their interim DNS server. Nor should it, I might add. The internet is designed to be fault-tolerant, able to withstand the loss of any one service point. Deliberately keeping all those machines reliant on a single DNS server violates the internet's design model. Let them fail. It's not like they're banned from the internet; they just have to fix their configurations.

This is seriously irresponsible journalism. Both the scare-tactic headline and the slanted article are painting this as if the FBI is randomly targeting businesses for arbitrary disconnection from the internet, when the facts are completely different. Why would you even publish such a thing?

By dwasifar on Thursday Feb 23