First, the good news. If you're reading this, you probably don't have the DNSchanger problem, or else your ISP is kindly redirecting your DNS requests to a valid server, not the one that the FBI just took down.
If you aren't able to read this, I guess no-one can say we didn't try to warn you. Even, some might say (hi, @vmyths!) to the point of hype. Yes, the 'h' word has raised its head again, and no doubt it will all turn out to be fault of the anti-virus industry. However, the comparisons with AV hyping of Michelangelo – don't look at me, I was on the corporate customer side of the fence at that point – aren't altogether to the point, and are actually based on misunderstanding of both issues. While some of the figures quoted may have been exaggerated for marketing persons, I can assure you that there was a genuine problem: in fact, I received a couple of PCs at that time direct from the manufacturer that were unequivocally infected. (Fortunately, I routinely scanned everything that came over my desk, irrespective of the source.) But as for the huge disparity between the predicted number of systems broken by Michelangelo and the actual reports of reports, all that I can say is that nobody really knew the number. Believe it or not, it's not easy to estimate the number of machines infected with anything for the obvious reason that we can't assess the health of those systems on which we have no software installed.
We do have an advantage we didn't have in the days of Michelangelo: we can sometimes make use of other types of telemetry (data measurements made remotely), especially in the case of certain types of botnet. In the case of the DNSchanger family, the maintenance of the (cleaned) DNS service left behind by the malware at least allowed us to count the number of unique IP addresses that were connecting to it.
That count is, however, not terribly accurate. The internet doesn't run on the basis of one IP address per system: in fact, one IP address may be the 'front end' or public address of many individual machines. That suggests that the numbers of infected machines (or cleaned machines with unrepaired/residual DNS settings) is higher than DNS Changer Working Group's estimates, right? So why are there (so far, at any rate, no floods of panicky reports of lost connections?
So as @briankrebs so rightly said, this isn't Y2K. It's a little easier to generate some approximate metrics in this case, but you shouldn't expect too much: we don't know everything about everyone's system. In fact, I don't think the AV industry told you we did. At any rate, I hope not.
But what about all those people desperately asking for more information (or rather explanation – there's no shortage of information)? I've responded to as many of those requests posted as comments as possible, either directly or by email, but the blogging team can't generally offer one-to-one support: we don't have the time or the skillset to respond appropriately to some of the questions that have been raised – research skills and support skills often overlap, but good tech support is a skilled specialty in its own right.
And we really can't answer too many questions related to products that aren't ours. Sorry!
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET