NEWS FROM THE LAB - Monday, July 2, 2012

Should the FBI be reauthorized to continue DNSChanger servers? Posted by Sean @ 14:01 GMT

The latest DNSChanger deadline is rapidly approaching: July 9th. (The previous deadline was March 8th.) Just one week to go!

What's DNSChanger?

DNSChanger is an ad-fraud botnet that the F.B.I. and Estonian authorities busted late last year in Operation Ghost Click.

Operation Ghost Click?

"Click" as in click-fraud. Altering DNS server settings allowed the gang to do man-in-the-middle ad injections.

Man-in-the-middle ad injections? How did that benefit the bad guys?

Well, back around 2006, ad-fraud schemes used "click-bots" and when the issue started getting media attention… advertisers started complaining that Google wasn't doing enough to prevent click-fraud. And they threatened to sue over cost-per-click losses.

So Google put its engineers on the issue and now scripted click-bots are confronted with significant anti-fraud defenses. Google's automation is far better than the fraudsters. Bye bye click-bots.

So clever ad-fraudsters need to go "off-script" and get humans involved, thus, the ad-injection. The human "victim" isn't forced to click on the ad when they see it, so in a sense, it isn't really "ad-fraud" that can be predicted by Google's automated defenses. In that way, the man-machine bot (should it be called a cyborg?) combination makes money.

Very clever.

Yes. Which is possibly one of the reasons the F.B.I. took such an interest. That and the number of infected computers, which at one point, numbered over 500,000.

Wow, that's a lot. How many computers are still infected?

As of June 11th, just over 300,000 unique IP addresses were still registered by the "temporary" DNS servers.

Here's a breakdown of the top 25 countries:

Unique DNSChanger IPs, June 11
Source: Top DNS Changer Infections by Country

So what is the July 9th deadline all about?

Back in March, the U.S. District Court, Southern District of New York extended authorization for the substitute "temporary" clean DNS servers. If the authorization isn't extended yet again, the DNS servers will need to be shutdown.

What will happen then?

At that point, all of the affected computers will be cut off from DNS services. The computers will still be connected to the Internet, but they will not be configured with the "address book" that they needs to locate Internet resources.

Address book?

DNS servers convert URLs such as google.com into IP addresses such as

Without DNS, you need to know the numeric address?


Sounds like it would be a real mess if the substitute servers are turned off. Do you think the court will re-authorize them?

Yes. But… should they?

Shouldn't they?

In six months, less than half of all the infected computers have been fixed. For just how long should the F.B.I. continue enabling these zombie computers? Sure, cutting off the DNS servers will cause some pain, but it just might be the fastest way to cure the remaining infections at this point. And to be frank, sooner is better because these computers are vulnerable to other infections as long as they remain bots.

Take this poll: should the F.B.I. be reauthorized to continue past July 9th?

Check your computer at: http://www.dcwg.org/detect/