Most of What You’ve Read About DNSChanger Is Wrong. Here’s How.

If you’ve been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. – hundreds of thousands around the world – will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That’s bad, right? Well, maybe not.

If you’ve been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. – hundreds of thousands around the world – will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That’s bad, right? Well, maybe not.

What you may not know is that the impending DNSChanger “black out” threatens to obscure what has been a highly successful effort – one of few to date – to stamp out a global online scam and malware infestation.

First, some recent history: U.S. authorities in November unveiled indictments against six Estonian nationals who they charged with running a sophisticated, international online fraud that netted an estimated $14 million in bogus Internet advertising revenues, while infecting some four million computers world wide, 500,000 in the U.S. alone. The scheme used malicious software, installed on victims’ machines, to force the users to visit Web sites that were customers of an online advertising firm controlled by the scammers.

Following the bust, the U.S. Department of Justice, working with ISC and other tech industry partners, set up their own Domain Name System (DNS) servers in place of those used by the cyber criminals to manage Web requests from infected hosts. A court order stipulated that the servers be shut down on March 5, 2012, four months after the bust. However, as that deadline approached, the U.S. Attorney’s Office successfully argued for an extension to July 9 – Monday.

The intervening months have seen both public and private initiatives to identify victims of the scam and to whittle down the number of computers that were still looking for the DNS servers operated by Rove Digital, the Ghost Click gang’s front company. As Threatpost reported in December, 2.5 million infected systems contacted the DNS servers run by ISC three weeks after the bust. By April, that number was down to 350,000 systems, including more than a few computers located within major corporations. The FBI launched a new campaign to help computer users identify whether their system was using the Rove Digital DNS servers, and to prevent those computers from being cut off from the Internet come July 9), while the U.S. Department of Homeland Security appealed to U.S. consumers to check their computers for signs of infection. They were joined, in May, by Google, which announced it would notify users of DNSChanger infections – directly and in the user’s own language. The search giant estimated that around 500,000 people, worldwide, were still infected with the malware. Then, in June, Facebook joined Google, saying it would display a notice for users connecting to the social network from one of the Rove Digital DNS servers and encouraging them to scan their system.

In all, the public and private efforts have been mostly successful. The DNSChanger Working Group, a public-private industry consortium, reports that there are around 60,000 systems located within the U.S. that are still pointing to the Rove Digital DNS servers – down from 500,000 in November. That’s an 88% clean up rate. The number worldwide is likely around 300,000, down from around 4 million – a cleanup rate of around 92%.

So why all the fuss? For one thing: media outlets that often steer away from technically complicated technology and security stories can really latch onto a deadline. The ticking time bomb meme is really too much to resist. So we get lots of sensational stories about an impending blackout, but not much informed discussion about the ‘why?’ and ‘wherefore?’ of it.

Second, there has been a tendency in the media (including Threatpost) to conflate systems that continue to use the Rove Digital DNS servers and systems that are still infected with the DNSChanger malware. That’s a mistake, says Kurt Baumgartner of Kaspersky Lab.

“Vendors cleaned up the malware, but left behind the DNS settings,” he said. “That leaves plenty for the working group to discuss and fix.”

In a blog post, Baumgartner said that nobody knows how many of the systems that are still using the Rove Digital servers are truly infected. “It could be that none of these systems are infected. Or all of them could be infected,” he wrote. “We are seeing thousands of DNS setting detections on systems that have no malware.” That means the stories you’ve been reading in recent days about hundreds of thousands of DNSChanger infected hosts are speculative, at best.

Even the name “DNSChanger” is misleading, Baumgartner contends. “DNSChanger was detected with a ton of different generics, heuristics and family names,” he told Threatpost. They include malware like Sharik, Shadowbot, Alureon in addition to DNSChanger. Complicating things even more, each of those malware components were delivered with other malware, too: the TDSS rootkit, MDrop and Zlob. The rogue DNS server story is also more complicated, Baumgartner notes. Most of the seized assets from the front companies have all been referred to as “Rove Digital”. But the Ghost Click gang actually used a wide range of front companies to support their scam and launder its profits, using front companies operating in countries as disparate as the U.S., the Ukraine, Russia, Estonia, Denmark, and Cyprus.

So the picture is much more crowded than just the DNSChanger malware and the bogus Rove Digital DNS servers. Which isn’t to say that, now that the malware has (mostly) been removed, using the rogue DNS servers operated by Rove isn’t a problem. “It doesn’t mean you have pneumonia, but you still have a cough.” And it makes you extraordinarily more likely to get sick again,” Baumgartner writes.

Some vendors (Kaspersky included) are now detecting the rogue DNS server settings and offering to reconfigure them to use clean DNS servers. Baumgartner sees the rogue DNS issue as an “artifact” of the DNSChanger malware infections that the community hasn’t done a great job of sweeping away. That’s obscured an otherwise successful operation that saw the scam’s architects arrested, their shell companies’ assets seized and most infected hosts cleaned by a consortium of private and public entities.

So why the lingering crisis about computers being “cut off” from the Internet? Baumgartner said it exposes weaknesses in the largely voluntary system for addressing computer virus outbreaks.

“Cleanup is not something that network admins do well, or at all,” Baumgartner notes.

Or, to use a public health analogy: we’re good at identifying and treating the sick, but not so good at preventing future infections and laying the groundwork for a healthier society.

This shouldn’t be a surprise: public health officials struggled with the exact same problem trying to stamp out virus outbreaks a century ago. In the most famous case, Mary Mallon, a.k.a “Typhoid Mary,” infected 53 people with typhus while working as a cook in the New York area in the first decades of the 20th century. But public health officials had a difficult time convincing Mallon, an asymptomatic carrier of Typhus, to submit to medical tests that would confirm her role in the outbreak, or getting her to stop working as a family cook.

Eventually, the New York City health inspector took the (then) unprecedented steps of arresting Mallon and quarantining her on North Brother Island off Manhattan for three years. Even after Mallon was released from quarantine in 1910 on the promise that she would no longer work as a cook, health officials weren’t able to prevent her from changing her name and again finding employment as a household cook – infecting another 25 people with typhus -one fatally – in 1915, after which she was arrested and placed in quarantine for the last time.

Like public health officials battling typhus outbreaks, the government, ISPs, security companies and others with a stake in halting outbreaks and infections online are still struggling to find the right tools for combating malware and outbreaks, that also respect the rights of individuals and companies. In 2010, the Dutch Public Ministry, working with the country’s High Tech Crime Team (THTC), local ISPs and the Dutch Computer Emergency Response Team (GOVCERT.nl) disabled infected servers that constituted the command and control network for the Bredolab botnet. Dutch authorities then redirected infected systems to a Web page with instructions for removing the Bredolab malware. That was (and is) a controversial move. With DNSChanger, officials in the U.S. and the private sector represented by the DNSChanger Working Group took a softer approach: using a public information campaign to raise awareness about the infections and working through the Internet Systems Consortium (ISC), ISPs and other large organizations that serve the owners of infected systems, in the hopes that they can assist with disinfecting those machines and making sure they are querying legitimate DNS servers when surfing the Web.

In the end, we can count the DNSChanger case as a “win,” but a very qualified win at that. As in the sphere of public health: the hard work of maintaining a healthy and virus free Internet ecosystem lies ahead of us, not behind us. Both the public and private sector need new tools and strategies that allow them to respond rapidly in the case of an outbreak, and to work together over the long term to support commerce and the exchange of information and ideas. Mary Mallon spent the last two and a half decades of her life living in isolation on an island off Manhattan, dying of pneumonia in 1938. That was, undoubtedly, a “win” for public health. But its worth noting that, a century after Typhoid Mary, the Centers for Disease Control (CDC) reported that there are around 48 million food-borne illnesses each year in the United States sickening one of every six people every year and resulting in about 128,000 hospitalizations and 3,000 deaths. Securing the Internet from scams and malware, like fighting the spread of food borne contagion, is a long, hard road that we’ve only begun to travel.

Suggested articles

2021 Attacker Dwell Time Trends and Best Defenses

The time that attackers stay hidden inside an organization’s networks is shifting, putting pressure on defenders and upping the need to detect and respond to threats in real-time.