Welcome Guest | Sign In

DNSChanger: Just a Dress Rehearsal

By John P. Mello Jr. TechNewsWorld ECT News Network
Jul 16, 2012 6:00 AM PT

Despite dire warnings, the Internet didn't break last week when the FBI pulled the plug on the server controlling the DNSChanger botnet.

DNSChanger: Just a Dress Rehearsal

An estimated 300,000 computers are still infected by the malware that ties them to the botnet, which was designed for large-scale click fraud. Those machines' connections to the Internet depended on a server the FBI plugged into the botnet when the agency took down the DNSChanger net last November.

However, the agency didn't have the authority or funds to operate a proxy server for the botnet forever, so last Monday it had flip the off-switch on it.

Contrary to the predictions in the doom-filled reports leading up to the event, the Internet hummed along as usual. There are a few reasons for that. One of the most significant is that ISPs around the world, at the last minute, decided to assume the FBI's role in assuring infected computers could connect to the Net.

"The news made it a PR issue," Sean Sullivan, a researcher with F-Secure Labs, explained to TechNewsWorld. "If they hadn't provided substitute servers, they'd have suffered a black eye for not doing anything about it."

"It's less expensive to set up a DNS server than answer a flood of service calls," added Ira Victor, director of the digital forensics practice with Data Clone Labs and a member of the High Technology Crime Investigation Association.

The impact of the switch-off may have also been muted by liberal estimates of the breadth of the problem. "It's really hard to say how many infected machines were actually online," Brett Stone-Gross, a senior security researcher with Dell SecureWorks, told TechNewsWorld. "They could be sitting in somebody's closet and never used after they were infected."

Moreover, the effect of 300,000 computers on the global Internet is relatively minor, according to Victor. "Even half a million systems infected with a DNSchanger over the billions of devices that are on the Internet is a pretty small number," he told TechNewsWorld.

While the DNSChanger crisis may have had more fizzle than sizzle, there were lessons to be learned from it, Sullivan noted. For one thing, the FBI knows it needs to work with private sector partners, like the ISPs, so it doesn't repeat finding itself solely responsible for someone's Internet connection.

Microsoft Kills Certs, Gadgets

Microsoft revoked 28 certificates used to verify its software and launched a method for disabling gadgets on its Windows desktops last week.

The certificate purge is a continuation of the company's efforts to address security issues raised when security researchers discovered that some of Microsoft's certificates could be used by Flame, an industrial strength malware program, to compromise the Windows update process.

Microsoft is describing the certificate purge as a "pre-emptive cleanup." There's no evidence that the certificates have been abused or compromised, it said.

The move to disable gadgets -- small single-purpose programs that run in the Vista sidebar and Windows 7 desktop -- came just two weeks before a pair of researchers were scheduled to talk about security risks posed by the applications at the Black Hat conference (see calendar) to be held in Las Vegas.

At the Windows website, where until early last week Microsoft touted gadgets, it now warns: "Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time."

Big Doesn't Mean More Secure

If anything can be taken away from the massive data breach at Yahoo last week, it's that big doesn't necessarily mean better when it comes to online security.

Don't trust companies just because they are large, have free offerings, or have a cool brand, observed Philip Lieberman, CEO of Lieberman Software.

It seems Yahoo took the cheap way out for databases via mySQL (free database) and didn't even bother to encrypt or hash passwords, the cybersecurity expert said.

A group calling itself "D33D" claimed responsibility for clipping 453,000 usernames and passwords from Yahoo and posting them to the hackers' website. Only a small portion of the passwords -- 5 percent -- were connected to active accounts, according to Yahoo.

Breach Diary

  • July 10: Formspring acknowledged that 420,000 password hashes were stolen from a production database when hackers broke into one of its development servers. The service has changed its hashing scheme -- from SHA-256 with random salts to Bcrypt -- and is asking all users to change their passwords.
  • July 11: The Identity Theft Resource Center reported it recorded 213 data breaches during the first half of 2012, with almost two-thirds of them (63.4 percent) containing no reported attributes, a twofold increase over 2011. The trend makes it obvious that with few exceptions, there is minimal transparency when it comes to reporting breaches, the ITRC stated.
  • July 11: A hacker group calling itself "D33D Company" breached Yahoo Contributor Network (formerly Associated Content) and stole somme 453,000 usernames and passwords. Yahoo said that only 5 percent of the purloined passwords were linked to valid accounts.
  • July 12: Android Forums, a website for enthusiasts of Google's mobile operating system, reported that hackers compromised the server hosting the service and accessed its database. The website is asking its some 1 million users to reset their passwords.
  • July 12: Nvidia's developer website was breached and the hashed passwords for some 400,000 accounts may have been compromised. Nvidia has taken the website offline while it investigates the breach.
  • July 13: A Russian developer reveals a hack that allows users to circumvent Apple's in-app purchase program and buy content from within an app without paying.


  • July 19: Five Steps for Compliance, encryption, DLP and Email Security. 9 a.m. - 10:30 a.m., Sheraton Commander Hotel, 16 Garden Street, Cambridge, Mass. Complimentary continental breakfast. Sponsored by WatchGuard.
  • July 19: Securing the Cloud for Your Devices and Applications. 12 noon - 2 p.m., Sheraton Commander Hotel, 16 Garden Street, Cambridge, Mass. Complimentary lunch. Sponsored by WatchGuard.
  • July 19: Endpoint Insecurity: How to Close Ranks Among Your Employees -- and Close the Gaps for Device-Related Data Breaches. 10 a.m. PT. Webcast sponsored by GFI and Dark Reading. Free, with registration.
  • July 21-26: Black Hat Conference/USA. Las Vegas, Nev. Registration: $2,195. Onsite: $2,595.
  • July 24: How to Become a Speaker at RSA 2013. 1 p.m. ET. Webcast, free with registration.

  • July 26-29: Def Con 20. Las Vegas, Nev. Registration: $200.
  • August 20-23: Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): US$1,995. Standard price: $2,295.

  • October 9-11: Crypto Commons. Hilton London Metropole, UK Early bird price (by August 10): pounds 800, plus VAT. Discount registration (by September 12): pounds 900. Standard registration: pounds 1,025.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Facebook Twitter LinkedIn Google+ RSS
How do you feel about accidents that occur when self-driving vehicles are being tested?
Self-driving vehicles should be banned -- one death is one too many.
Autonomous vehicles could save thousands of lives -- the tests should continue.
Companies with bad safety records should have to stop testing.
Accidents happen -- we should investigate and learn from them.
The tests are pointless -- most people will never trust software and sensors.
Most injuries and fatalities in self-driving auto tests are due to human error.