[LINK] itNews: '... DNSChanger shutdown'

Roger Clarke Roger.Clarke at xamax.com.au
Mon Jul 9 09:47:24 AEST 2012

6000 Aussie users caught in DNSChanger shutdown
James Hutchinson
Jul 6, 2012 12:21 PM (2 days ago)

Last-minute rush.

The Australian Communications and Media Authority estimates 6000 
Australian internet users could face disconnection when US 
authorities shut down rogue DNS servers on Monday.

Up to four million users are believed to have been infected at the 
height of the DNSChanger advertising scam, which redirected 
legitimate searches by computer users to malicious sites via rogue 
DNS servers located in Chicago and New York.

The FBI has had temporary control of the servers since raiding the 
Estonian group that allegedly made and distributed the DNSChanger 
malware, gaining a four-month court ordered extension for the 
arrangement in March.

However, a purported 250,000 machines - including those at more than 
ten percent of Fortune 500 companies - are expected to remain 
infected when the DNS servers are switched off at 2pm AEST on July 9.

Any computer still infected with DNSChanger - and thus trying to 
route all requests through the rogue servers - will not be able to 
connect to the internet.

Bruce Matthews, manager for e-security operations at the ACMA, told 
iTnews that most recent figures estimated 6000 machines remained 
infected in Australia by the malware.

The number is a drop from the 10,000 it estimated in March, as well 
as from the 7500 machines estimated a fortnight ago, when the ACMA 
started a last-ditch effort to identify the remaining infections.

The regulator has worked with ISPs to contact customers, and set up a 
website allowing subscribers to check if they have been infected, but 
is yet to completely solve the issue.

"We're hoping that there will be a rapid upsurge in action to deal 
with those infections before July 9," he said.

"We think there's still time for affected customers to take action - 
it only takes a second to check your infected."

Telstra has joined some US telcos in implementing a new, temporary 
redirection for its customers in order to provide more time to solve 
the malware issue after Monday.

Experts said they considered the DNSChanger threat to be small 
compared with more-prevalent viruses such as Zeus and SpyEye, which 
infect millions of PCs and are used to commit financial fraud.

"It's a very easy one to fix," said Gunter Ollmann, vice president of 
research for security company Damballa.

"There are plenty of tools available."

However, Internet Systems Consortium founder Paul Vixie - who had 
participated in the US raid on the data centres - warned the 
infection had likely hit modems and routers within homes, as well as 
the computers themselves.

Cases where a modem's DNS settings had changed - believed to affect 
up to a third of all cases - would prove more difficult to remediate, 
and could ultimately require ISPs to "truck-roll" new devices to 
their customers.

With Reuters

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list