Internet blackout for thousands coming Monday ?

[Hum]

NEW YORK (CNNMoney) -- Hundreds of thousands of Internet users whose computers are infected with a particularly nasty virus will be unable to access the Web starting on Monday.

The Federal Bureau of Investigation will shut down Internet servers that it temporarily set up to support those affected by malicious software, called DNSChanger. Turning off those servers will knock all those still infected offline.

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. The malware redirected infected users' Web searches to spoofed sites with malicious advertisements.

In November 2011, the FBI and some overseas partners arrested those responsible, commandeered their servers, and attempted to warn those affected to get rid of the virus.

The FBI did not immediately take down the rogue servers, as infected computers would have lost Internet access, an FBI spokesman said.

To remedy the problem, the FBI had the nonprofit Internet Systems Consortium set up temporary servers. That way, computer owners would have time to get rid of their malware.

The servers were supposed to be shut down in March, but hundreds of thousands remained infected. Nearly 304,000 computers worldwide (about 70,000 in the United States) still had the virus in mid-June, according to the FBI's latest report. That's a large number, but it's a very small subset of the 1.6 billion PCs worldwide, of which an estimated 339 million are in the United States.

Still, the FBI decided to give people even more time to check for the malware, extending the deadline until July. The agency now says the time has come to cut the cord, and the emergency servers will be shut down on Monday, July 9th.

source

[Lion and Lamb Ministry]

Why does this sound more and more like Y2K?

[remixedcat]

like i said before if you have a cloudflare powered site please install the dns warning app.

[JustGeorge]

Well at least people will know they were infected. Wonder how many of the "I don't use AV and never get infected" crowd will be astonished?

[+BudMan MVC]

They should of shut them down day one..

Heres the thing if they are really that worried, why don't they they just have their temp severs they put up just direct people to a site that says HEY Your infected dumbass!!

I am sure they learned a lot about the infected when they brought up the temp servers, but all this hype seems a bit much. If users are hitting you for dns, you can direct them anywhere you want - no matter what they query. They should have done it months and months ago..

This is a bunch of hype about a bunch of idiots in the first place, prob a good thing if these people were off the net for good anyway ;)

[primexx]

They should of shut them down day one..

Heres the thing if they are really that worried, why don't they they just have their temp severs they put up just direct people to a site that says HEY Your infected dumbass!!

I am sure they learned alot about the infected when they brought up the temp servers, but all this hype seems a bit much. If users are hitting your for dns, you can direct them anywhere you want - no matter what they query. They should of done that months and months ago..

This is a bunch of hype about a bunch of idiots in the first place, prob a good thing if these people were off the net for good anyway ;)

sorry but this really bothered me:

should have

a lot

[Guest nicconics]

They should of shut them down day one..

Heres the thing if they are really that worried, why don't they they just have their temp severs they put up just direct people to a site that says HEY Your infected dumbass!!

I am sure they learned alot about the infected when they brought up the temp servers, but all this hype seems a bit much. If users are hitting your for dns, you can direct them anywhere you want - no matter what they query. They should of done that months and months ago..

This is a bunch of hype about a bunch of idiots in the first place, prob a good thing if these people were off the net for good anyway ;)

Now BudMan, you know if that happened the internet would shrink from its current user base to around 200-300k people. Then we would not have such things as zombo.com etc. :p

[bogas04]

I don't use AV .

http://www.dns-ok.us/

Green.

[+BudMan MVC]

And do you get a green check mark here as well?

http://dnssectest.sidn.nl/test.php

[Hum]

^ I got a green check :D Hum will still haunt you on Monday

You are protected

[KRazpopov]

OK, well I'm getting green from http://www.dns-ok.us/, but DNSSEC Test is giving me a red X. :(

[+Warwagon MVC]

OK, well I'm getting green from http://www.dns-ok.us/, but DNSSEC Test is giving me a red X. :(

Well if you really want to be sure just check your computers DNS settings and your routers.

[Hum]

... but DNSSEC Test is giving me a red X. :(

You've been a naughty boy.

For additional information regarding the DNS changer malware, please visit the FBI's website at:

http://www.fbi.gov/n.../malware_110911

ME:

DNS Changer Check-Up

DNS Resolution = GREEN

Your computer appears to be looking up IP addresses correctly!

[The_Observer]

why not have the servers redirect you to a site telling you have been the virus and that you need to clear it out?

[+BudMan MVC]

"but DNSSEC Test is giving me a red X"

That doesn't mean your infected - my bad for not making that clear.

DNSSEC is a way to validate that your actually talking to the owning server and that records your getting are valid. Which would have told you right away that something was up if you had gotten pointed to some other dns that was returning bad info if the domain you were trying to go to was dnssec enabled. For example neowin does not have it enabled - simple dig to a domain can grab their key.

dig +dnssec domain dnskey

So wouldn't of done much good if they were misdirected etc.. But other domains like isc.org are

; <<>> DiG 9.9.1-P1 <<>> +dnssec isc.org dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;isc.org.					   IN	  DNSKEY

;; ANSWER SECTION:
isc.org.				770	 IN	  DNSKEY  256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B
8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
isc.org.				770	 IN	  DNSKEY  257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8Z
GfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T51
5sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/
rzeC/bB yBNsO70aEFTd
isc.org.				770	 IN	  RRSIG   DNSKEY 5 2 7200 20120801230125 20120702230125 4442 isc.org. smgvLPkUP2wVdsHUirDUOu
NqCPEAVzxRpNT6p6T14LhJokYlTl2zBbaa 4igyDfcNAhpUn747cm95PFt4wrkGXi/ZJ9D1XeQXQ4S56eEhnj3LUt4l MC6aU5GrDhUa5kH7ef2HYSmGM+0oajQZtop7xP
jHJ4Mkzsb7FhVcknUa JZk=
isc.org.				770	 IN	  RRSIG   DNSKEY 5 2 7200 20120801230125 20120702230125 12892 isc.org. nobtYkqQ/Hw9VqY6Spoog
TpyBfd715onQw4TzYz3vv9m8UDLUSjxULTx rUHPVtz0Ikgaw+RgzrBxftLsowxvM0ilDyGrFkg3OyW8zquG5jFnNJla iuuU9ysJnrPJ05xmmvWh/k9MwBzBNwq/Xu3wS
PLG+uTSAp26bztxeMV9 r3i/W6qBPoxiAo5D51k6W4OPfcrZqjRfi51RDqncwHXSl4OOeKC5JF8m 7f5rxkrZNB+1VCaBxCqBcPOJ/ZJNQWwAw7uWZCOwZ9uODsCQ6avoo
G1Q iOrEsxhcb1x4t9NXSUDhNUzuDGsI90pPvnnGi9Sgq7IeoEoZ0yNr2Vvw nvi8Mw==

;; Query time: 21 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sun Jul 08 09:17:13 2012
;; MSG SIZE  rcvd: 925

More domains need to really start using this, but like ipv6 you have a carriage before the horse sort of deal. If the clients are not checking, no point in having it enabled, if domains are not using it - no real reason to be checking it ;) I would hit your ISP up on it if your that is the dns you use.

http://en.wikipedia....rity_Extensions

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server

There should be no reason why your not able to do dnssec now, unless ISP is behind the times. You can contact your ISP about it, you can use a different dns (googledns, opendns, etc) or just run your own dns so that you can use dnssec.

The testresult is a green tick; what does that mean?

The green tick is good. It means that the DNS server your computer uses actively supports the DNSSEC Protocol. So you are better protected against abuse of the DNS Protocol.

I see a red cross; what's that all about?

A red cross means that you aren?t benefiting from the added security offered by DNSSEC. Compared with someone whose set-up is DNSSEC-enabled, you are more vulnerable to abuse of the DNS.

What can I do if I want to benefit the added security that DNSSEC offers?

That depends on the way you use the DNS. Many internet users rely on the DNS service provided by their Internet Service Providers (ISPs). If that?s the case with you, you need your ISP to activate DNSSEC. You may wish to contact your ISP about it. However, it could be that the reason you aren?t benefiting from DNSSEC is that there is a modem or router between your computer and the DNS server(s) you use, which does not understand DNSSEC. In that case, you may have to upgrade the firmware on your modem or router. More advanced users may decide to configure DNS servers that support DNSSEC, or even run their own DNS server that supports DNSSEC (a so called validating resolver). If you did the test in a business environment, you may wish to contact your IT department. However, be ready for the possibility that your IT colleagues aren?t immediately able to help you ? not very many people are familiar with DNSSEC yet.

[Max Norris]

There should be no reason why your not able to do dnssec now, unless ISP is behind the times. You can contact your ISP about it, you can use a different dns (googledns, opendns, etc) or just run your own dns so that you can use dnssec.

Nice writeup -- just a minor clarification, OpenDNS went with DNSCurve instead of DNSSEC. No idea on the technicalities of one being better than the other.. was curious as I use OpenDNS myself.

http://blog.opendns....endns-dnscurve/

[+BudMan MVC]

dnscurve is a hop to hop and yes can be used for validation of the hops, and also actual encryption of the transaction. dnssec is full path, end-to-end and verifies that data you got is same as what is on the authoritative server for that domain.

They are sim in that they are working on securing dns, but not equal - not sure what opendns was thinking other than getting their users to run some client that only goes to them for dns ;) I really don't see a need for encryption of the actual transaction. But I can see verification of said data a big concern.

You could use dnscurve hand in hand with dnssec. For example use can use dnscurve to your resolver (isp for example) and then use dnssec to validate your data is legit. So at some point your ISP dns is talking to root servers, I highly doubt dnscurve is going to get deployed to the roots. But dnssec already is - back in may of 2010

http://www.root-dnssec.org/

Just do a dig +dnssec for any of the root zones org, com, net, etc.

As to opendns not using dnssec - on their blog entry about turning on dnscurve.

Editor?s note: Our support for DNSCurve doesn?t prevent our adoption of DNSSEC ? they are not mutually exclusive. While we have reservations about DNSSEC, we can and will implement it when we see more demand and traction, but in the meantime, when we see a viable technology that can be quickly implemented to improve security for DNS users, that?s a no-brainer in our book.

As I said before its horse/carriage, chicken/egg thing - why implement when no users, why should user use it if no one has it implemented ;)

So while dnscurve secures your info to opendns, does not really validate the data your getting from opendns - only that your getting it from opendns ;)

The news of this dns changer thing that went on way to long, hitting the mainstream can and should be used for users pushing their ISPs to make dns more secure. More and more queries for dnssec, and then more and more domains will start using it.

I think neowin should set the shining example and sign their domain - they run their own dns. Its not that difficult to do!

This could get them started

https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone

[Growled Member]

At least those who are effected will know for sure.

[Lirodon]

I'm quite surprised they didn't do some sort of injection into the top of pages warning about this. That probably would have gotten people noticing better...