Kill Switch:FBI Could Shut Off Internet for Thousands on 3/8

User avatar
Posts: 4007
Joined: Wed Feb 16, 2011 8:03 pm

PostFri Feb 17, 2012 1:28 pm » by Rydher

Kill Switch: FBI Could Shut Off Internet for Thousands on March 8 to Eradicate Virus

It’s a scary thought, having the Internet forcibly shut off for you. But it’s just what some Fortune 500 companies and government agencies could face as the Federal Bureau of Investigation tries to get rid of an extremely malicious computer virus.

Krebs on Security reports that the malware — DNSChanger Trojan — infected more than 4 million computes in more than 100 countries thanks to the work of six men who were arrested in Estonia for the crime in Nov. 2011. Gizmodo reports that the virus causes the user to be sent to fraudulent websites by changing DNS settings and even prevents them from visiting security sites that could help rid them of the virus.

In the United States, a half a million computers were reportedly infected with a security firm finding at least one infection in half of the Fortune 500 companies and 27 government agencies. What’s to be done? Krebs on Security reports that any computer still infected by March 8, 2012, will have Internet service disconnected from it:
“Yes, there are challenges with removing this malware, but you would think people would want to get this cleaned up,” said Rod Rasmussen, president and chief technology officer at Internet Identity. “This malware was sometimes bundled with other stuff, but it also turns off antivirus software on the infected machines and blocks them from getting security updates from Microsoft.”

Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Rasmussen said there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”

Krebs reports the FBI saying that it is currently working on ideas to minimize impact on users in that event. Rasmussen says that cleanup, even if the deadline is extended, will still take a long time given the number of computers and says in addition to being “an interesting social experiment”, it would be a faster fix.

Gizmodo reports that once you know you’re computer has a problem, that the fix isn’t too painful or time consuming. You can check to see if you’ve been “victimized” here, (Uhhh, no thanks...)


U.S. Attorney Preet Bharara said in November that this case was first of its kind because the suspects set up their own “rogue” servers to secretly reroute Internet traffic to sites where they had a cut of the advertising revenue.

“Without the computer users’ knowledge or permission, the malware digitally hijacked the infected computers to facilitate the fraud,” the indictment says.

Once their computers were infected, people seeking to visit Netflix, the IRS, ESPN, Amazon and other legitimate sites were redirected to sites where the defendants collected income for each click on an ad, authorities said. The malware and corrupted servers also allowed the defendants to substitute legitimate ads on other websites with replacement ads that earned them more illicit income, they added.


User avatar
Posts: 4007
Joined: Wed Feb 16, 2011 8:03 pm

PostFri Feb 17, 2012 1:50 pm » by Rydher

A few questions:

1. How is this virus any different from any other trojan/virus that has come out? Doesn't the majority of them do what this one does?

2. To shut down your internet means that they have to be logging every IP that connects to the redirected server, right? Then using that list to 'turn off' your internet.

3. Is this in cooperation with the various ISP providers? Or is the government able to, both physically and legally to go around an ISP and shut off an individuals internet?

3. A virus that redirects you and generates income based on ad clicks is serious enough to even think about doing something like this? Again, I've had many viruses that do this exact same thing. What makes this one so different?

The whole thing makes no sense. Unless you are using it to test your ability to actually accomplish it. IE. The country wide EBS tests.

User avatar
Posts: 1836
Joined: Sat Sep 05, 2009 5:25 am

PostFri Feb 17, 2012 3:05 pm » by Dagnamski

Do IT!

“If at first, the idea is not absurd, then there is no hope for it”


User avatar
Posts: 307
Joined: Thu Apr 19, 2012 7:07 pm

PostMon Feb 20, 2012 11:52 pm » by FullDisclosure

rydher wrote:2. To shut down your internet means that they have to be logging every IP that connects to the redirected server, right? Then using that list to 'turn off' your internet.
No - although they could do that and probably are - Simply turning off those servers will mean any computer configured to resolve domain names through it will no longer be able to obtain the domain name's IP address. Those computers will still be "online" using the internet to attempt contact but appear to be offline when connection cannot be established.

So basically they won't be cutting off internet access for anyone, they will be disabling rogue DNS servers where traffic had been fraudulently diverted to without the users knowledge or consent.

Checking to see if you are going through those rogue servers is easy:
1) Check your Winblows configuration
a) Click the Start menu
b) click on "Run",
c) type "cmd" to open the command prompt.
d) type "ipconfig /all"
2) Check your DNS servers listed against the known rogue servers:
a) to
b) to
c) to
d) to
e) to
f) to
g) If you're using Google's / you should consider changing it too...
3) If your DNS is not on the above list then it is safe from *THIS* attack..


Forgot to add: If you are using a router to connect it is best to check those DNS settings as well. Log into your router using the IP address listed as the "default gateway" (usually or and change out any default username/password on it as well. The virus isn't supposed to affect routers but you never know what else has.
Last edited by FullDisclosure on Tue Feb 21, 2012 12:03 am, edited 2 times in total.

I try not to troll, but sometimes people just fucking deserve it.

User avatar
Posts: 4007
Joined: Wed Feb 16, 2011 8:03 pm

PostMon Feb 20, 2012 11:55 pm » by Rydher

Good info, thanks. :flop:

My questions still bother me though. :dunno:

Posts: 1982
Joined: Sun Sep 18, 2011 9:29 pm
Location: canada

PostTue Feb 21, 2012 12:11 am » by Mydogma

Isn't this just duping joe public to go to the fbi site and let them filter thru yoour computer?...seems like the problem reaction solution thing all wrapped up in a fbi virus bundle of bs...let me guess..they put out the viris..grab a few nobodies that can't defend themselves...blame it on them..ask us to come and have our computers checked by the offer the much money is the fbi making ripping us off...I think any of the servers could be given the fix..but no they want us to log on and ask for nice of them...hopefully one day their will be honor brought back to fbi and they actually arrest their slavemasters...
If you don't wake up, Your the problem, not the

User avatar
Posts: 3454
Joined: Fri Dec 31, 2010 8:35 am

PostTue Feb 21, 2012 3:27 am » by Frutty

Just as quick note. I am always against the grain but I will tell you guys I have not been using ANY. I mean ANY antivirus for more than 8 years.

NEVER my computer has crashed due to a virus.
Deception in life is nothing but a lie reduced to practice

  • Related topics
    Last post