A rumor repeated enough times on the Web is too often given the same status as truth. Then, by the time the rumor is discredited, the story is old and dead anyway, and the next rumor has taken hold. Take the case of the DNSChanger Trojan. Last November, as RWW’s David Strom first reported, the FBI indicted seven men suspected of involvement with an Estonian malware distribution firm. That malware, which plagues U.S. Government systems to this day, simply changed PCs’ DNS server settings to point to those operated by the firm. And that firm directed unsuspecting users to sites containing ads that the firm hosted, and allegedly profited from.
Naturally, you’d want to shut that down. The problem last November was, doing this would disrupt Internet service to users worldwide, including government systems believed to have been targeted. So the FBI sought and received a court’s permission to have a well-respected non-profit group run legitimate DNS servers at the same addresses, up until the addresses changed by the Trojan could be replaced. That lease was set to expire tomorrow, and as it turned out, it wasn’t enough time. Sensationalist news sources just love a countdown – if it’s ticking, it must be a time bomb.
“FBI might shutdown the Internet on March 8,” read RT.com, the Russian news service which also carried President-Elect Vladimir Putin’s comments that political protestors are only there to get beaten up by police and get caught on camera. London’s Daily Mail carried essentially the same headline, though added the obligatory question mark. Local U.S. television news followed suit, though by answering the question mark with essentially, “Of course not! What, you think the government’s that stupid?”
On Monday, a federal judge in New York granted the FBI’s request to extend Internet Systems Consortium’s lease of the temporary servers for another 120 days, until July 9. As I told NTN24’s Monica Fonseca on today’s C.S.T. program in Colombia, this will give the government and other folks that much more time to change their DNS server settings to those that did not belong to the suspect firm’s group of rogue sites.
According to the FBI’s indictment, here is the complete list of ranges of DNS addresses that pointed to the suspect firm’s rogue servers:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.107.79.255
64.28.176.0 through 64.28.191.255
69.197.132.58
72.233.76.82
174.123.205.190
174.133.7.122
184.82.214.2
216.127.191.66
64.20.51.2
65.60.9.234 through 65.60.9.238
66.152.177.58
72.18.192.58 through 72.18.192.61
72.233.76.66 through 72.233.76.70
65.254.36.122
65.254.50.10
72.9.232.202
75.127.76.194
207.210.119.170
216.180.243.10
64.111.197.186
66.230.167.218
69.93.95.234
The FBI published a brochure (PDF available here) explaining in general terms how users’ systems were affected, and what steps they can take to remedy the problem and return their Internet access to normal. These directions apply to Windows XP, Windows Vista, Windows 7, and Mac OS X users. The brochure explains how the rogue servers were able to masquerade as DHCP servers as well, instructing victims’ PCs in how to change their DNS server addresses without having to hack into them to do so.