The End of DNS Changer, Business As Usual For the Other 400 Million

Blog Post created by miketuchen on Jul 9, 2012

I read an article in today’s Wall Street Journal that nearly made me fall off the stationary bike. The title, “Malware Threat to the Internet Corralled,” caught my eye, but the first line was the real shocker:

The malware threat to the Internet likely has been tamed.

Leading Internet-service providers said Sunday that they had moved to ensure that computers infected with malware left behind by a hacking spree that started in 2007 continue to access the Internet normally, and expect relatively few Internet users to face a disruption.

I had a sinking feeling as I started to read the article that many well-meaning professionals may actually read these first couple of paragraphs and go on to believe that all the security-related issues of recent years were just a bad dream, and with decisive action by the FBI and ISPs we’re now moving into a new era of safe computing.


The rest of the article after those disingenuous first paragraphs turned out to be relatively balanced coverage of the DNS Changer Trojan; the FBI’s “Operation Ghost Click,” which took over the shadow DNS servers that the DNS Changer trojan used to spoof DNS requests; and the fact that the ISC is finally turning these replacement servers off today. I suspect the article resulted from a well-intentioned PR effort to spread the word about the imminent shutoff, so that anyone whose internet stops working will know what happened. At last count over 250,000 computers are still infected (out of a reported 2.5M at the height of the infection last fall, and over 400,000 on the initially designated shutoff date of March 8), so getting the word out to the remaining holdouts is definitely a good idea.  Unfortunately, the authors decided to hype up that rather bland housecleaning article with the catchy but highly misleading title and opening paragraphs.


In reality, DNS Changer was only one of approximately 403 million new variants of malware created in 2011 (according to research from Symantec). The FBI’s Operation Ghost Click was extremely successful by any measure, resulting in the arrest of the Estonian Rove Digital team behind DNS Changer and commandeering the rogue DNS server network. On the one hand, it’s a great example of what can be done with security experts, law enforcement, and service providers working together, but on the other hand it’s sobering to think of the growing gap between these occasional law enforcement successes and the enormous number of malware strains launched every week.  Economics unfortunately isn’t in the good guys’ favor here: it undoubtedly cost at least an order of magnitude more for the FBI to take the Rove/DNS Changer team down than it did for Rove to create it in the first place.  And with the reported $14M of illicit gains for Rove before the arrest, it’s clear that the balance of high financial incentives and relatively low risk will still tempt plenty of new malware authors to continue to perpetrate more infections of this kind.


In order to turn this around we’ll need to find a way to change the economics: either dramatically increase the cost of creating and spreading successful malware; dramatically reduce the cost of shutting down these networks; or dramatically reduce the potential rewards of a successful attack.  Or some combination of the three.  In the meantime, the last decade has ushered in an explosion in the malware economy, with no end in sight.


As long as we’re on the subject of DNS Changer, here is some advice from the DNS Changer Working Group (DCWG) on how to remove it. We recommend backing up your key files first.