Skip

DNSChanger servers get shut down
July 7, 2012 1:16 PM   Subscribe

On Monday hundreds of thousands of computers will lose their ability to connect to the Internet.

The servers controlling the DNSChanger malware will be shut down, and without them computers which are still infected will cease to be able to do DNS lookups. Getting rid of it isn't easy, and requires a specific set of tools which would need to be downloaded before Monday. (Or, of course, you could reinstall the OS.)
posted by Chocolate Pickle (72 comments total) 13 users marked this as a favorite

 
I'm going to buy batteries, it's Y2k all over again!
posted by HuronBob at 1:24 PM on July 7, 2012 [4 favorites]


Work is a Mac shop, and I don't think I've ever had an infection on one of my personal/freelance machines (windows). (Nevertheless, of course I've checked...)

Nevertheless I do anticipate having one of my bosses ask me about this on Monday....
posted by lodurr at 1:30 PM on July 7, 2012


Link to determine whether or not your computer is gem dandy.
posted by (Arsenio) Hall and (Warren) Oates at 1:33 PM on July 7, 2012 [14 favorites]


Connecting to other computers by IP address (rather than domain name) will still work, if I'm not mistaken. That won't help most people, but perhaps one might work around the problem by using a proxy?
posted by LogicalDash at 1:35 PM on July 7, 2012


So... Someone needs to delete the hosts file from these computers, I guess? They are making it sound like a huge deal. It's more like "hey these folks have a bad phone book so instead of giving them a new phone book we are going to disconnect their phones".
posted by caution live frogs at 1:37 PM on July 7, 2012


I don't understand why instead of just operating as the DNS for all this time, they didn't just redirect all requests to a page with instructions on how to remove it.

Because from the media reports I've seen, on Monday if you're infected a page just won't resolve leaving people to figure it out on their own (without the internet).

Alos, could the URL they chose to see if you're infected sound any more sketchy? http://www.dns-ok.us/. I mean that sounds like a honey pot for viruses.
posted by birdherder at 1:38 PM on July 7, 2012 [13 favorites]


I think it's a tragedy that 100's of thousands of people who have not installed any patches or security updates to windows over the last several years will have their ability to connect to the internet impaired until someone knowledgable does maintenance on them. Their contributions will be sorely missed.
posted by WaylandSmith at 1:51 PM on July 7, 2012 [47 favorites]


If I get one more call from a family member about this... My Dad called me today and thought his PC was infected because of some anti-malware software I installed for him. "The guy on the news said "malware" and I see there's malware that you put on my computer so how are you going to fix this." That man should not own a computer.
posted by MikeMc at 1:53 PM on July 7, 2012 [24 favorites]


Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. (from (Arsenio)'s link)

But then they don't explain how you know if you're really uninfected if you can get to the site because your ISP is redirecting. Not helpful.
posted by rtha at 1:54 PM on July 7, 2012


Just go to savemyyahoohomepage.spycleaner.gov.cn.
posted by benzenedream at 1:58 PM on July 7, 2012 [3 favorites]


I don't understand why instead of just operating as the DNS for all this time, they didn't just redirect all requests to a page with instructions on how to remove it.

Hmm, I'm not sure we want to train users to install random fixes from from they internet when they run across a website that says they're infected with malware. And plus many infections were probably on work computers where the user might not even have the permissions required to do the fix.

But yeah, now that there's been plenty of time for most infections to be cleaned up, running it as you suggest for a couple weeks would probably be a better option than just shutting it off.
posted by jcreigh at 2:11 PM on July 7, 2012 [2 favorites]


Looks like I'll be hearing from a lot of my relatives next week.
posted by the_artificer at 2:23 PM on July 7, 2012 [4 favorites]


Hopefully, none of these computers are hooked up to control systems in nuclear power plants. That would lead to a pretty unfortunate case of the Mondays.
posted by Blazecock Pileon at 2:37 PM on July 7, 2012 [2 favorites]


I'm pretty sure the guy on talk radio said this was really part of Obama's secret plan to take over the internet.
posted by Thorzdad at 2:38 PM on July 7, 2012 [1 favorite]


Haha good to know. I go back to work Monday, computer repair. I wonder how many computers I'll get with this virus. :)
posted by NotSoSiniSter at 2:51 PM on July 7, 2012






So mac users are still smug eh?
posted by markr at 3:06 PM on July 7, 2012


So mac users are still smug eh?

Probably, but they shouldn't be.
posted by Chocolate Pickle at 3:15 PM on July 7, 2012 [3 favorites]


Just for the record -- iOS devices != Macs.

(For now, anyway...)
posted by hippybear at 3:17 PM on July 7, 2012


So mac users are still smug eh?

You don't need malware to get a macuser's money.
posted by srboisvert at 3:21 PM on July 7, 2012 [12 favorites]




I think they should have crises like this several time a year! I think it brings people together.
posted by Obscure Reference at 3:33 PM on July 7, 2012 [2 favorites]






I'm a Apple Fanboi (Apple TV, iPhone, iPad and MacBook Pro), but still remind friends and family that we still must employ prophylactic measures in today's viral enviornment.
posted by ericb at 3:39 PM on July 7, 2012


Their contributions will be sorely missed.

Here's hoping you're not my neighbor.
posted by IndigoJones at 3:58 PM on July 7, 2012 [1 favorite]


Malware threat could strike Monday despite unprecedented effort by Google, Facebook and others.
Google and Facebook each used different technical methods of determining which users might have the DNSChanger infection ... Google began showing notices to affected users in May; Facebook followed suit last month. ... Google, meanwhile, made arrangements with the consortium so any infected computer that tried to do a Google search would be routed to a special Google address, where they would see a warning about the malware.
I really don't know what else the industry could have done. Maybe convince Microsoft to run a special Update for folks with the bad DNS server? But no, presumably the machines weren't running updates before being infected. My suspicion is the number of machines still infected is overestimated. Although that seems unlikely; if they're running the DNS server they can count the queries, right? Will be interesting to see what happens.

At the risk of feeding the MacOS de-rail, here's my MeFi thread in April on FlashBack on Macs.
posted by Nelson at 4:14 PM on July 7, 2012


I'm a mac user at work and I'm anything but smug about malware. But as far as I can tell the fact that we're a Mac shop renders this irrelevant to my office since we have no critical functions running on Windows that have not been installed since this botnet was taken down.
posted by lodurr at 5:29 PM on July 7, 2012


Apple only support the current and previous version of OSX with security updates. Which means that when mountain lion (10.8) comes out very soon, only that and lion (10.7) will get patches. So if you are still running snow leopard - which was last sold in July 2011 - and don't buy the paid upgrade to lion, no patches for you after that. Assuming 10.8 comes out in october, that's going to be a grand total of 14 months of patches since snow leopard (10.6) was last sold, or just over 3 years since it was launched.

Not all macs will run Lion; snow leopard was the last version to support 32 bit core duos for example; and lion ended rosetta support, i.e. any apps with ppc code still in them (such as CS5 photoshop and fireworks did when lion came out) stopped working.

XP was launched in 2001. Patch support for it ends april 2014. So 13 years of security patches from launch; last sold in 2008, so that's 6 years of free patches vs 14 months from apple since end-of-lifed. And of course, if you'd actually been applying those windows patches through the automatic update system you have to intentionally turn off and ignore the warnings, you wouldn't have been vulnerable to dnschanger in the first place.

Of course, flashback wouldn't have even been a problem on osx in the first place if apple hadn't dragged their feet for literally months on rolling out the upstream patches from oracle for apple's included version of java. As it was, only snow leopard and lion got the fix - some weeks after the infection was widespread - in line with apple's current and previous version support. Leopard (10.5) did belatedly get the update, the only patches it has had since Lion was released; and even then, it didn't run on powerpc systems running leopard.

So don't be too smug about running OSX re: security. Unless you don't mind having all updates and security patches stopped for your OS just over a year after it came off the shelf and having to buy the paid upgrade, assuming your computer will even run it.
posted by ArkhanJG at 5:29 PM on July 7, 2012 [6 favorites]


alright, I'm going to resist the temptation to derail hard on apple's grand migration to a shameless planned obsolescence policy and just say: yes, I'm aware of all that, and it's annoying as hell.
posted by lodurr at 5:36 PM on July 7, 2012


Hmm, I see mountain lion is actually scheduled for july, and rumour has it on july 25th, a year after lion to the day. So only 12 months worth of patches since snow leopard was withdrawn from sale, not 14. If you're still on snow leopard, time to upgrade to lion, you've only a couple of weeks left before your OS gets end-of-lifed. Since you can't upgrade direct to mountain lion, you'll have to buy and install lion from the app store first even if you do want to jump forward to mountain lion. (assuming your mac will run it; my core 2 duo mini is stuck with lion).

Good thing I forced my boss to upgrade to Lion last week - he was really hanging onto snow leopard and his mobile.me sync, didn't realise end-of-life was even closer than I thought.
posted by ArkhanJG at 5:38 PM on July 7, 2012


Sorry lodurr, my comment wasn't directed at you (I didn't preview I'm afraid) - I was writing it to actually smug comments further up.
posted by ArkhanJG at 5:40 PM on July 7, 2012


Like so many people, I am not looking forward to work on Monday.
The idiot ratio is high, the Windows ratio higher, the IT department are contractors.

(Ubuntu 4 Lyfe Until It Gets Really Annoying. Which, to be fair, is getting closer.)

I had barely heard about this somehow, so I this thread may also have saved me a headache.
posted by Mezentian at 6:00 PM on July 7, 2012


"Daddy, why are the typhoid-infected, ebola-carrying lepers pointing at you and laughing?"
"They heard I might maybe possibly catch a cold if I'm not reasonably careful."
"Can I have a bite of your apple, Daddy?"
"Did you think I was going to make you eat glass, son?"
posted by obiwanwasabi at 6:06 PM on July 7, 2012


Man. A few people need to come down off the high horse.
posted by cashman at 6:10 PM on July 7, 2012 [2 favorites]


I'm glad this thread showed up. I saw some sort of warning about this problem, but I assumed it was a hyperbolic scam. Dire warnings of tons of computers going offline and it can only be stopped by visiting a website are not usually even worth looking into.
posted by windykites at 6:10 PM on July 7, 2012 [1 favorite]


If you're still on snow leopard, time to upgrade to lion, you've only a couple of weeks left before your OS gets end-of-lifed. Since you can't upgrade direct to mountain lion, you'll have to buy and install lion from the app store first even if you do want to jump forward to mountain lion.

This is not true, according to Apple, anyone running the latest version of Snow Leopard (OS X 10.6.8) will be able to upgrade directly to Mountain Lion.
posted by RichardP at 6:17 PM on July 7, 2012 [1 favorite]


On Monday hundreds of thousands of computers will lose their ability to connect to the Internet.

good riddance.
posted by quonsar II: smock fishpants and the temple of foon at 6:21 PM on July 7, 2012


I'll look forward to reading all the combat reports here Monday evening!
posted by Chocolate Pickle at 6:23 PM on July 7, 2012 [1 favorite]


So the authors of DNSChanger wrote software that cracked millions of computers running different configurations of different patch states of different versions of Windows on different hardware, and maintained a farm of malicious DNS servers capable of handling the queries from all those machines, all toward the end goal of fraudulently driving up some ad impression counts?

This is the same feeling I got when someone explained to me that MapReduce was invented to show us more relevant ads. At this rate, if we ever make it back to the moon, it'll be to generate buzz for some limited-edition NASA bobble-head dolls.

I'm trying to find a term to describe how I feel right now, and bathos isn't quite cutting it. This is like the anti-banality of evil. Instead of making horrible things acceptable, we're making awesome, fantastic things mundane.
posted by d. z. wang at 6:39 PM on July 7, 2012 [6 favorites]


Yeah, how dare people who aren't as tech-literate as you use computers.
posted by ChuraChura at 6:49 PM on July 7, 2012 [3 favorites]


Yeah, how dare people who aren't as tech-literate as you use computers.

Spend some time doing family tech support for my parents and get back to me.

Mom: I have no sound.

Me: Is everything plugged in? Power? Is the green plug inserted into the green jack on the back of the computer?

Mom: Yes.

Me: Double check, I'll wait. [waits]

Mom: Everything is plugged in, no sound.

[40 minutes of possible fixes later]

Mom: Still no sound.

Me: Don't know what to tell you, maybe you need new speakers.

[3 days later]

Mom: I have sound again.

Me: What happened?

Mom: The power cord for the speakers wasn't plugged in.

Me: [Facepalm] You said you checked that!

Mom: I was sure it was plugged in.

And on and on and on...
posted by MikeMc at 7:20 PM on July 7, 2012 [5 favorites]


according to Apple, anyone running the latest version of Snow Leopard (OS X 10.6.8) will be able to upgrade directly to Mountain Lion.

Not according to that link:

"Step 1:
Make sure your Mac can run Mountain Lion.

Your Mac must be one of the following models:" (my Mac is not one of them, and runs Snow Leopard, and Lion, fine).
posted by not_that_epiphanius at 7:44 PM on July 7, 2012


I used to have a friend who was a panicky sort of computer illiterate, compounded by the unfortunate fact that he Never Needed To Be Taught Anything Ever, because he already knew how everything worked. Perfectly. He did not appreciate anyone assuming he was stupid and trying to tell him things; that was a horrible offense.

I fixed his computer a lot. And then his boyfriend's, and his cousin's, and had we not severed contact I probably would have been tech support for his entire (large) family. I don't know why, but it was okay for me to fix a problem as long as I did not explain how I did it.

It was very funny, sometimes, to manufacture a 'crisis' that could be easily solved. Fridge magnets in front of the CRT monitor. Flipping the voltage switch on the power supply to sit bang in the middle so nothing worked. Setting the laptop to automatically log-out any other device that logged into email and IM. The panicked phone calls (and, later, text messages) were completely golden, and because he never wanted to know how I worked the computer voodoo (it being beneath him, or whatever), he never suspected I was behind it.

"Dude, I have no idea, you just have bad luck. And you watch too much porn."
posted by cmyk at 8:13 PM on July 7, 2012


The FBI handled this in a remarkably stupid way, just temporarily hiding the problem.. They should have made their replacement DNS servers redirect Google .com to a FBI website that told them they were infected and how to fix it. It wouldn't have helped Bing users but fuck those guys.
posted by w0mbat at 8:13 PM on July 7, 2012


Apple no longer markets Macs as malware-free, but rather "built for security," and refines protection in Mountain Lion.

Wow! They give you a mountain lion for protection! I don't know if it will work, but that's way cool ...

...

What?
posted by krinklyfig at 8:22 PM on July 7, 2012 [1 favorite]


I feel sorry for the possibly massive amount of ordinary folks that have computers that will mysteriously stop working for them. No one wants to spring for computer repair and there are so many services that are only accessible through the internet.

.
posted by andendau at 9:47 PM on July 7, 2012


The FBI handled this in a remarkably stupid way, just temporarily hiding the problem.. They should have made their replacement DNS servers redirect Google .com to a FBI website that told them they were infected and how to fix it.

On the other hand, as others have pointed out, do we really want people to listen to what some random web site tells them about their computers?

(Your computer is broadcasting your IP address!)
posted by dirigibleman at 9:51 PM on July 7, 2012 [1 favorite]


according to Apple, anyone running the latest version of Snow Leopard (OS X 10.6.8) will be able to upgrade directly to Mountain Lion.
Not according to that link:
I don't think he meant that any machine that runs 10.6 will also run 10.8, but was responding to ArkhanJG's assertion that you can't upgrade from 10.6 to 10.8 without going via. 10.7.
posted by russm at 11:22 PM on July 7, 2012 [1 favorite]


lose their ability to connect to the Internet
No, they will have to select other nameservers.

Oh and your linked article misspelled "Web site". Hardly an authority.
posted by vsync at 12:20 AM on July 8, 2012


dirigibleman, centipedes?! In my vagina?!
posted by vsync at 12:21 AM on July 8, 2012


It's dangerous out there, take this.
posted by deborah at 12:27 AM on July 8, 2012


I went to a government website that automatically told me that I wasn't infected, but also said that it might be a false positive. The manual instructions told me to use ipconfig, which revealed that my DNS server connection is handled router-side, and therefore, that I might still be infected. Being unable to find my router's manual in order to access its settings, I looked up the instructions online and finally discovered that I was not infected.

I am not among the hapless masses who would have given up partway through. I feel good about myself.
posted by BiggerJ at 12:37 AM on July 8, 2012


If the authorities now running the network have the ability to re-route traffic, why not re-route everyone to a page announcing that they have the virus and providing the link to fix it?
posted by Mokusatsu at 1:23 AM on July 8, 2012


Like a million web browsers crying out, and then... silence...
posted by kaibutsu at 3:46 AM on July 8, 2012


Oh and your linked article misspelled "Web site". Hardly an authority.

The world does not live or die according to the NYT style guide. If it did, for example, we'd all be spelling "website" the way you do, instead of the way that the rest of the web has been spelling it since 1996.
posted by lodurr at 4:51 AM on July 8, 2012


So mac users are still smug eh?
Probably, but they shouldn't be.
posted by Chocolate Pickle at 6:15 PM on July 7 [3 favorites +] [!]


Macs have had three or four incidents since January of this year. Windows had 1,017,208 new malware attacks in the first half of 2010 alone.
posted by Gungho at 5:20 AM on July 8, 2012 [1 favorite]


I am trying to think of another piece of technology introduced to the masses that is so complicated and so vulnerable to attack. Sure early cars were finicky and required the ability to master the basics of running and maintaining the equipment but they weren't easily disabled or even ruined by random strangers for no reason.
posted by Secret Life of Gravy at 6:43 AM on July 8, 2012 [1 favorite]


Most people don't have a clue how the engine in their car works, and it's equally vulnerable to being attacked. It's just hard to do it as effectively and anonymously as a poison pill over the internet.
posted by crunchland at 7:13 AM on July 8, 2012


Of course most people don't know how their car works but other than filling it with gas and pushing a few buttons and depressing the gas pedal you don't need to know how your car (TV, lawn mower, air conditioner, refrigerator) works. We are not at that level of user-friendly computers yet and I question that we will ever be.

And yes, I did think about strangers filling your car's gas tank with sugar or swiping your distributor cap but one bad guy can't disable tens of thousands of cars just for fun. Plus you can lock your car up in a garage and keep it safe in between drives but keeping your computer safe requires more effort and more knowledge.
posted by Secret Life of Gravy at 7:43 AM on July 8, 2012




I think it's a tragedy that 100's of thousands of people who have not installed any patches or security updates to windows over the last several years will have their ability to connect to the internet impaired until someone knowledgable does maintenance on them. Their contributions will be sorely missed.

God forbid someone who has lived most of their life without bothering with computers, a writer, a woodworker, a classical musician or a traditional farmer might have something worthwhile to say. I'm so disappointed so many people marked that as a favourite.
posted by ersatz at 8:25 AM on July 8, 2012 [2 favorites]


Connecting to other computers by IP address (rather than domain name) will still work, if I'm not mistaken. That won't help most people, but perhaps one might work around the problem by using a proxy?

In situations like this, I fall back on what I call "DNS-over-Pete". I phone up my friend Pete and ask him to ping the host I'm interested in and tell me the IP.
posted by heathkit at 8:36 AM on July 8, 2012 [1 favorite]


Pro-tip: Google runs public-facing DNS servers at 8.8.8.8 and 8.8.4.4

Easy to remember if you want to ping something on the public internet without doing a DNS lookup, or to use as a DNS server if something is wonky with your ISP's servers.
posted by jcreigh at 9:22 AM on July 8, 2012 [4 favorites]


If the authorities now running the network have the ability to re-route traffic, why not re-route everyone to a page announcing that they have the virus and providing the link to fix it?

It's kind of like living before the time of antibiotics and not wanting to run up and vigorously shake the hand of every leper you meet. You don't know where else they've been.

Actually, that's a pretty good question.
posted by Blazecock Pileon at 2:02 PM on July 8, 2012


Errr... so what does it mean that www.dns-ok.us is coming up "server not found" for me, but downforeveryoneorjustme.com reports it as up, BUT the other detection sites listed at http://www.dcwg.org/detect/ show me as unaffected by DNSChanger, and the dns servers listed for my computer and my router are not on the list of malicious servers?

Am I OK? Why can't I reach www.dns-ok.us?
posted by Reverend John at 10:25 PM on July 8, 2012


Eh, guess I'd already be screwed actually!

Freaked me out for a minute there, though.
posted by Reverend John at 10:48 PM on July 8, 2012


www.dns-ok.us was down about an hour or two ago on my partner's machine.
Seems to be working now, for me.

Of course, in a whim I tried dns-changer.eu
and my "DNS Settings are manipulated!"
but the AU.gov website says "This temporary solution was switched off at 2pm AEST on 9 July 2012".

So, these tools are... not reliable.
posted by Mezentian at 11:57 PM on July 8, 2012


DNSChanger apocalypse: Like Y2K, but even snoozier : "We haven't seen a single report" of someone losing Internet access, said Johannes Ullrich, chief research officer at the SANS Institute. "It's all hype. There's really nothing happening."
posted by crunchland at 12:35 PM on July 9, 2012


Just to clarify my snarkey comment here, the "contributions" I was referring to were the "contributions" that their unprotected, infected computers were making to various botnets and malware out there. It seems a few people assumed I was referring to their potential creative contributions. I feel that those "contributions" are the responsibility of the owner of the computer and my understanding is by simply having automatic updates turned on for Windows, this problem would not have affected you, so I hardly think that "not being a computer expert" is an excuse. If you have a car on the road and you don't maintain it, you're still liable if it loses a wheel and damages someone else's car. "I'm not a mechanic" is not an excuse. When the DNS servers turn off, they will be forced to have their computer serviced so that it is fit to be on the internet.
posted by WaylandSmith at 4:06 PM on July 9, 2012


ArkhanJG: "lion ended rosetta support, i.e. any apps with ppc code still in them (such as CS5 photoshop and fireworks did when lion came out) stopped working."

I'm running Lion. Photoshop CS4 works fine. I don't know what you are talking about unless you meant to say CS3 or something?
posted by caution live frogs at 9:57 AM on July 11, 2012


« Older It's All Over Now, Baby Blue   |   World's largest musical Tesla Coils Newer »


This thread has been archived and is closed to new comments



Post