DNSChanger: Just a Dress Rehearsal

Despite dire warnings, the Internet didn’t break last week when the FBI pulled the plug on the server controlling the DNSChanger botnet.

An estimated 300,000 computers are still infected by the malware that ties them to the botnet, which was designed for large-scale click fraud. Those machines’ connections to the Internet depended on a server the FBI plugged into the botnet when the agency took down the DNSChanger net last November.

However, the agency didn’t have the authority or funds to operate a proxy server for the botnet forever, so last Monday it had flip the off-switch on it.

Contrary to the predictions in the doom-filled reports leading up to the event, the Internet hummed along as usual. There are a few reasons for that. One of the most significant is that ISPs around the world, at the last minute, decided to assume the FBI’s role in assuring infected computers could connect to the Net.

“The news made it a PR issue,” Sean Sullivan, a researcher with F-Secure Labs, explained to TechNewsWorld. “If they hadn’t provided substitute servers, they’d have suffered a black eye for not doing anything about it.”

“It’s less expensive to set up a DNS server than answer a flood of service calls,” added Ira Victor, director of the digital forensics practice with Data Clone Labs and a member of the High Technology Crime Investigation Association.

The impact of the switch-off may have also been muted by liberal estimates of the breadth of the problem. “It’s really hard to say how many infected machines were actually online,” Brett Stone-Gross, a senior security researcher with Dell SecureWorks, told TechNewsWorld. “They could be sitting in somebody’s closet and never used after they were infected.”

Moreover, the effect of 300,000 computers on the global Internet is relatively minor, according to Victor. “Even half a million systems infected with a DNSchanger over the billions of devices that are on the Internet is a pretty small number,” he told TechNewsWorld.

While the DNSChanger crisis may have had more fizzle than sizzle, there were lessons to be learned from it, Sullivan noted. For one thing, the FBI knows it needs to work with private sector partners, like the ISPs, so it doesn’t repeat finding itself solely responsible for someone’s Internet connection.

Microsoft Kills Certs, Gadgets

Microsoft revoked 28 certificates used to verify its software and launched a method for disabling gadgets on its Windows desktops last week.

The certificate purge is a continuation of the company’s efforts to address security issues raised when security researchers discovered that some of Microsoft’s certificates could be used by Flame, an industrial strength malware program, to compromise the Windows update process.

Microsoft is describing the certificate purge as a “pre-emptive cleanup.” There’s no evidence that the certificates have been abused or compromised, it said.

The move to disable gadgets — small single-purpose programs that run in the Vista sidebar and Windows 7 desktop — came just two weeks before a pair of researchers were scheduled to talk about security risks posed by the applications at the Black Hat conference (see calendar) to be held in Las Vegas.

At the Windows website, where until early last week Microsoft touted gadgets, it now warns: “Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.”

Big Doesn’t Mean More Secure

If anything can be taken away from the massive data breach at Yahoo last week, it’s that big doesn’t necessarily mean better when it comes to online security.

Don’t trust companies just because they are large, have free offerings, or have a cool brand, observed Philip Lieberman, CEO of Lieberman Software.

It seems Yahoo took the cheap way out for databases via mySQL (free database) and didn’t even bother to encrypt or hash passwords, the cybersecurity expert said.

A group calling itself “D33D” claimed responsibility for clipping 453,000 usernames and passwords from Yahoo and posting them to the hackers’ website. Only a small portion of the passwords — 5 percent — were connected to active accounts, according to Yahoo.

Breach Diary

  • July 10: Formspring acknowledged that 420,000 password hashes were stolen from a production database when hackers broke into one of its development servers. The service has changed its hashing scheme — from SHA-256 with random salts to Bcrypt — and is asking all users to change their passwords.
  • July 11: The Identity Theft Resource Center reported it recorded 213 data breaches during the first half of 2012, with almost two-thirds of them (63.4 percent) containing no reported attributes, a twofold increase over 2011. The trend makes it obvious that with few exceptions, there is minimal transparency when it comes to reporting breaches, the ITRC stated.
  • July 11: A hacker group calling itself “D33D Company” breached Yahoo Contributor Network (formerly Associated Content) and stole somme 453,000 usernames and passwords. Yahoo said that only 5 percent of the purloined passwords were linked to valid accounts.
  • July 12: Android Forums, a website for enthusiasts of Google’s mobile operating system, reported that hackers compromised the server hosting the service and accessed its database. The website is asking its some 1 million users to reset their passwords.
  • July 12: Nvidia’s developer website was breached and the hashed passwords for some 400,000 accounts may have been compromised. Nvidia has taken the website offline while it investigates the breach.
  • July 13: A Russian developer reveals a hack that allows users to circumvent Apple’s in-app purchase program and buy content from within an app without paying.


John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels