500,000 zombie PCs imperiled as expiration of court order approaches

Discussion in 'Anti-Virus' started by Virus Guy, Feb 23, 2012.

  1. Virus Guy

    Virus Guy Guest


    500,000 zombie PCs imperiled as expiration of court order approaches
    By Dan Goodin

    An estimated half million users of compromised computer systems risk
    losing their Internet connection next month unless a federal judge
    extends a court order authorizing a California not-for-profit to operate
    a network of surrogate domain-name-system servers.

    Paul Vixie, founder of the Internet Systems Consortium, has been
    operating the servers since early November, when federal authorities
    obtained court permission for him to replace a fleet of rogue DNS
    resolvers used in a massive fraud scheme that directed millions of end
    users to websites they never intended to visit. Without the replacement
    servers, millions of people hit by the DNSChanger botnet would have
    experienced internet failures when the rogue systems were unplugged.

    At a conference in San Francisco on Wednesday, Vixie said about 500,000
    end users are still relying on the replacement servers to translate
    domain names into IP addresses. He made clear that if the court order
    expires on March 8 as it is now scheduled to do, his ISC non-profit,
    which maintains the open-source BIND DNS software package, will cease
    operating the replacement servers. And that will leave many of those
    still compromised in the dark.

    "In the absence of that court order, it would be very difficult for
    someone like us to go in there and say, 'Yeah, we will speak BGP and
    pirate that address space and run these name servers,'" he told an
    audience attending the 24th General Meeting of the Messaging Anti-Abuse
    Working Group. "We will not do that. There are laws saying you should
    not but it's also just kind of a bad precedent."

    In a court document filed last week in US Court in the Southern District
    of New York, prosecutors asked that the order be extended by four months
    so authorities and network operators have additional time to notify
    customers who were infected by DNSChanger. The request comes after ISPs
    have told prosecutors that tens of thousands of their customers remain
    infected with DNSChanger, three months after the scam was exposed and
    seven of the principals behind it were indicted.

    "Extending the operation of the Replacement DNS Servers will provide
    additional time for victims to remove the malware from their computers,
    thereby enabling them to reach websites without relying on the
    Replacement DNS Servers," the court motion states.

    The predicament comes after federal prosecutors arrested six of the
    seven people alleged to be behind the DNSChanger scam. Using an
    Estonian business front dubbed Rove Digital, the team infected millions
    of windows PCs with a customized version of a highly virulent piece of
    malware known as Alureon, or alternatively as TDL or TDSS. The malware
    alters configuration settings in the operating system and unsecured
    wireless routers they connect to that cause people to use rogue DNS
    servers that were controlled by the perpetrators. As a result, those
    affected by the malware connected to Web servers they never intended to
    visit. The perpetrators earned millions of dollars in advertising
    revenue when the end users viewed ads on those sites, prosecutors said.

    Under "Operation Ghost Click," authorities with the FBI and NASA's
    Office of Inspector General seized more than 100 US-based servers used
    to resolve popular domain names to incorrect IP addresses. To prevent
    millions of infected end users from losing the ability to access email
    and web pages, prosecutors arranged to have ISC simultaneously take over
    IP addresses and BGP, or border gateway protocol, addresses used by the
    rogue resolvers so the non-profit could set up replacement DNS servers.

    Feds said at the height of the scam some 5 million machines were
    infected by the malware, although Vixie said that number may have been
    inflated because of the difficulty of mapping the number of IP addresses
    to PCs. He said he estimates 500,000 machines still rely on the
    replacement servers. Last week's court order put the figure at 430,000.

    Vixie rejected audience proposals that, once the court order expires,
    ISC should redirect all people relying on the replacement servers to a
    "walled garden" page that informs them their systems are compromised.
    He also rejected a suggestion that the servers redirect users to such
    pages now, while the order is still in effect.

    "That's not the business I'm in," he explained at the conference, which
    was attended by more than 400 representatives of ISPs, legitimate
    senders of bulk email, and vendors of software and hardware. "That's
    not the business the FBI is in, and I don't think that's what the judge
    thought he was authorizing. So at the moment, that looks to be
    completely off the table."

    MAAWG Chairman Michael O'Reirdan told the audience member that ISPs are
    working hard to alert customers who remain infected so they can clean up
    their machines.

    "If putting people in walled gardens doesn't work, we're going to do
    something else," he said. "If the most effective thing to do is send
    them individual carrier pidgins, maybe that's what we'll have to do in
    the future."
    Virus Guy, Feb 23, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.