http://arstechnica.com/business/news/2012/02/500000-zombies-risk-death-as-dnschanger-court-order-nears-expiration.ars\n\n500,000 zombie PCs imperiled as expiration of court order approaches\nBy Dan Goodin\n\nAn estimated half million users of compromised computer systems risk\nlosing their Internet connection next month unless a federal judge\nextends a court order authorizing a California not-for-profit to operate\na network of surrogate domain-name-system servers.\n\nPaul Vixie, founder of the Internet Systems Consortium, has been\noperating the servers since early November, when federal authorities\nobtained court permission for him to replace a fleet of rogue DNS\nresolvers used in a massive fraud scheme that directed millions of end\nusers to websites they never intended to visit. Without the replacement\nservers, millions of people hit by the DNSChanger botnet would have\nexperienced internet failures when the rogue systems were unplugged.\n\nAt a conference in San Francisco on Wednesday, Vixie said about 500,000\nend users are still relying on the replacement servers to translate\ndomain names into IP addresses. He made clear that if the court order\nexpires on March 8 as it is now scheduled to do, his ISC non-profit,\nwhich maintains the open-source BIND DNS software package, will cease\noperating the replacement servers. And that will leave many of those\nstill compromised in the dark.\n\n"In the absence of that court order, it would be very difficult for\nsomeone like us to go in there and say, 'Yeah, we will speak BGP and\npirate that address space and run these name servers,'" he told an\naudience attending the 24th General Meeting of the Messaging Anti-Abuse\nWorking Group. "We will not do that. There are laws saying you should\nnot but it's also just kind of a bad precedent."\n\nIn a court document filed last week in US Court in the Southern District\nof New York, prosecutors asked that the order be extended by four months\nso authorities and network operators have additional time to notify\ncustomers who were infected by DNSChanger. The request comes after ISPs\nhave told prosecutors that tens of thousands of their customers remain\ninfected with DNSChanger, three months after the scam was exposed and\nseven of the principals behind it were indicted.\n\n"Extending the operation of the Replacement DNS Servers will provide\nadditional time for victims to remove the malware from their computers,\nthereby enabling them to reach websites without relying on the\nReplacement DNS Servers," the court motion states.\n\nThe predicament comes after federal prosecutors arrested six of the\nseven people alleged to be behind the DNSChanger scam. Using an\nEstonian business front dubbed Rove Digital, the team infected millions\nof windows PCs with a customized version of a highly virulent piece of\nmalware known as Alureon, or alternatively as TDL or TDSS. The malware\nalters configuration settings in the operating system and unsecured\nwireless routers they connect to that cause people to use rogue DNS\nservers that were controlled by the perpetrators. As a result, those\naffected by the malware connected to Web servers they never intended to\nvisit. The perpetrators earned millions of dollars in advertising\nrevenue when the end users viewed ads on those sites, prosecutors said.\n\nUnder "Operation Ghost Click," authorities with the FBI and NASA's\nOffice of Inspector General seized more than 100 US-based servers used\nto resolve popular domain names to incorrect IP addresses. To prevent\nmillions of infected end users from losing the ability to access email\nand web pages, prosecutors arranged to have ISC simultaneously take over\nIP addresses and BGP, or border gateway protocol, addresses used by the\nrogue resolvers so the non-profit could set up replacement DNS servers.\n\nFeds said at the height of the scam some 5 million machines were\ninfected by the malware, although Vixie said that number may have been\ninflated because of the difficulty of mapping the number of IP addresses\nto PCs. He said he estimates 500,000 machines still rely on the\nreplacement servers. Last week's court order put the figure at 430,000.\n\nVixie rejected audience proposals that, once the court order expires,\nISC should redirect all people relying on the replacement servers to a\n"walled garden" page that informs them their systems are compromised.\nHe also rejected a suggestion that the servers redirect users to such\npages now, while the order is still in effect.\n\n"That's not the business I'm in," he explained at the conference, which\nwas attended by more than 400 representatives of ISPs, legitimate\nsenders of bulk email, and vendors of software and hardware. "That's\nnot the business the FBI is in, and I don't think that's what the judge\nthought he was authorizing. So at the moment, that looks to be\ncompletely off the table."\n\nMAAWG Chairman Michael O'Reirdan told the audience member that ISPs are\nworking hard to alert customers who remain infected so they can clean up\ntheir machines.\n\n"If putting people in walled gardens doesn't work, we're going to do\nsomething else," he said. "If the most effective thing to do is send\nthem individual carrier pidgins, maybe that's what we'll have to do in\nthe future."