DNSChanger cutoff is more whimper than bang. Score one for the good guys.
Cutting off Internet access to computers infected with the nasty DNSChanger trojan did not bring about doomsday after all. Why, beyond the obvious, that's good news in the cybersecurity world.
(Page 2 of 2)
"We've seen a kind of a victory of shared collective intelligence in this case," says Rod Rasmussen, president of Tacoma, Wash.-based Internet Identity, a cybersecurity firm that is part of the law-enforcement-backed DNSChanger Working Group consortium. "A lot has been learned by law enforcement and private companies about how to work together to bring down these criminal enterprises – but also how to remediate the problem over time, rather putting a lot of people in the dark all at once."Skip to next paragraph
Subscribe Today to the Monitor
It also represents, he and others say, a sign that government and law enforcement – supported by technicians in private industry – are increasingly able to initiate complex international cybercriminal investigations that span international borders.
"There's definitely a trend with government more willing to get involved to fight botnets like the DNSChanger and other malware – in addition to using the legal system to take down servers used by criminals," says Brett Stone-Gross, a senior security researcher with Dell SecureWorks.
In a parallel example earlier this year, the FBI along with private industry worked to notify thousands of computer users whose machines were infected with the Coreflood trojan, a piece of malware that stole proprietary information from personal computers worldwide and enslaved them into a giant botnet.
Still, some Internet wags were already comparing the DNSChanger trojan takedown to the Y2K hyperbole – noting that not much has really happened after all.
But that is not really correct, these experts say, since a very real effect – if not a very loud one – can be seen by security researchers: namely, more than 200,000 machines worldwide infected with the DNSChanger now dropping off the Internet.
One reason researchers can observe the infected machines at all is that the very servers that had been supplying Internet addresses to the infected machines – were not actually shut down Sunday night at all, but only instructed not to respond to the infected machines anymore. In the interest of learning, researchers are now observing the remaining DNSChanger-infected machines worldwide try to connect, fail, try again – and then stop communicating.
One odd tidbit. Some machines running older versions of the Windows operating system had a backup feature that allow those machines to try to connect to the Internet using a backup system. It's not clear yet how many of those machines will be able to resurrect themselves. For most owners of infected computers, however, the only recourse after getting cut off will be to take their machines into a shop for repair.
"So far the pattern is what we expected, a big drop off in connection attempts," Mr. Rasmussen says. "Some machines are still trying and failing to connect to the servers. We've instructed the servers not to respond. It's tough love, I guess. Tonight, just before midnight, we will actually, finally pull the plug."