2012-07-13 20:31 DNSChanger servers down - no biggie says CERT Finland


DNSChanger malware took over hundreds of thousands of machines so that criminals could redirect the victims to fraudulent sites. Malicious DNS servers were taken down, and FBI was permitted 1 to temporarily host legit services to keep the victim machines working. When the permit expired, hundreds of thousands of machines were still infected and could potentially stop operating properly. Nobody knew exactly how much of the critical infra services were running infected. While the security community was a bit concerned and press was predicting doomsday, CERT Finland was not worried. Why was that?

What is DNSChanger?

In case you haven't ran into DNSChanger previously, it was a piece of malware which changes host's name server settings, so that it uses malicious DNS servers for looking up where it should connect to. Idea was that the criminals can redirect victims to fraudulent sites as they please. Luckily, the malicious servers were taken down. Bad news was that when the malicious are not available, infected machines would fail to work. Temporary solution was to allow FBI to take over and run the service so that infected hosts can be disinfected. The final deadline was 2012-07-09, after which supposedly some minor things like the Doom of Internet could occur. Well, the Internet survived again, so we can get back to the original topic.

Global Situation when FBI Lost its Permit

So, how did the cleanup go? Here is the data:


So after several years time to clean up infected machines, DNSChanger was still present on hundreds of thousands of computers. Over time, the number of infected machines were cut to half.

Zeroing in to Finland

CERT Finland on DNSChanger's national impact:

Over time, infections declined from initial 300 to approximately pitiful 20 (source). On top of the fact that, CERT Finland could in fair confidence say ''Shutting down the DNSChanger name servers might be a problem - but not in Finland''. So comparing to the global drop to approximately 50%, I'd say Finns did a pretty good job with their drop to approximately 7% from the initial numbers. They've totally deserved their stickers:


But that was not my main point. The main points are:

All because of a systematic approach to collect and forward abuse information from the ones who know to the ones who need to know.

If you are an national actor tasked to protect your national critical infrastructure or citizens, a good place to start is to ask yourself these questions:

If the answers are no at the moment to all of those, don't worry. CERT Finland, being the first, has been building the capability since 2006. Nowadays there are tools and services available from yours truly to get you started in few months. Just mail contact@clarifiednetworks.com or jani@clarifiednetworks.com and we'll show how.

-- jani 2012-07-13 20:29:10

return to the blog ...

  1. With the help of DNS Changer Working Group (1)