Orphaned Bots Facing Internet Blackout

Botnet takedowns typically leave many orphaned bots in their wake: rarely do they leave still-infected machines cut off from the Internet, but that's what is in store for hundreds of thousands of machines that have yet to be cleaned up from the now-defunct DNSChanger botnet.

March 8 for now is the planned deadline for when the FBI will pull the last plug and shut down the temporary DNS servers it set up to prevent a major Internet blackout for what was at the time some 4 million infected machines around the globe. There are some 450,000 bots out there still infected with the now-defunct botnet's malware as of the last official count -- which, according to data from IID, include half of the Fortune 500 and major U.S. federal government agencies.

Knocking enterprise, government, and consumer machines offline was an unprecedented consequence of taking down the DNSChanger botnet, which literally changed the victim computers and routers' DNS resolution settings and redirected them to malicious websites. The FBI, which headed up the "Operation Ghost Click" case against the botnet and its operators, tried to cushion the effect by swapping out the malicious DNS servers with temporary legitimate ones. The plan was to give ISPs 120 days to alert their customers about infected machines and to help with the cleanup effort. The Internet Systems Consortium (ISC) has been running the "clean" DNS servers in the meantime.

But with the March 8 deadline looming for those servers to be disabled and nearly half a million machines still infected, security experts worry about the inevitable blackout for those victims. "The whole issue of the culmination of the DNS servers being [disabled] is like pulling off a Band-Aid really slowly. I'd like to see it ripped off even if it hurts because at least the ISPs would immediately [see] any loose change that has to be mitigated instead of this one-sie, two-sie mitigation." says Paul Ferguson, senior threat researcher at Trend Micro, which was part of the Operation Ghost Click team that took down the DNSChanger botnet.

Ferguson says it was really the only way to ease the fallout from the takedown. "This was the right call for a stopgap to keep those machines from going down when they took down this criminal enterprise," Ferguson says. "I would like to see them educate people more than they have on this problem. My fear is that we patch a flat tire without telling them they had a flat tire, and now we're about to rip off the patch."

It most likely will be consumers and small businesses left in the lurch on March 8 -- or later, depending on whether the deadline gets extended, which is under consideration. According to a report today on Krebs On Security, the Department of Justice and NASA have petitioned the U.S. District Court for the Southern District of New York to keep the temporary DNS servers online through July 9 of this year.

Either way, there still will be orphaned bots affected. "They will not be able to resolve any DNS host names ... And the problem is you can't Google for a fix if you can't resolve to Google," says Brian Jacobs, senior product manager for Ipswitch's network management division.

"I suspect the leftovers inundated with the problem will be consumers. Most corporations have some level of due diligence ... it's going to be the consumer who ends up dinged on this," Jacobs says.

The DNSChanger Working Group has information on its website on how to test for and clean your machine of the malware, and ISPs are supposed to be reaching out to their customers. But with hundreds of thousands of machines at last count still infected, many users just either don't know or don't care that they are still bots.

The worry is that the feds didn't educate the public well enough. Trend Micro's Ferguson says that initially there was some discussion of having the FBI push a "you are getting this message because you are infected" page rather than setting up the temporary DNS servers for the bots. But that approach wasn't selected.

Aside from redirecting the victims to the phony DNS servers, DNSChanger malware also attempts to reach devices on a victim's small office or home network running DHCP, such as a home router. If the router was using a default username or password, the malware then changes the router's DNS settings to the rogue ones, which could affect even uninfected computers connected to that network.

Assisting the FBI in the DNSChanger takedown was the Estonian Police and Border Guard, the Dutch National Police, NASA's Office of the Inspector General and in the private sector, Georgia Tech University, the Internet Systems Consortium, Mandiant, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham. The private-sector firms also make up part of the DNS Changer Working Group.

[ Security professionals are leery of one-way public-private partnerships, but Operation Ghost Click shows that the model is necessary to take on international threats. See Teaming Up To Take Down Threats. ]

The botnet was used for a click-fraud scheme, which netted the gang behind it more than $14 million. The group allegedly used it to create phony advertising clicks to businesses that paid affiliate fees. Operation Ghost Click resulted in the arrests of six Estonian nationals -- a Russian suspect remains at large.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.