DNSChanger: lies, damn' lies and telemetry statistics

First the panic, then the accusations of hype. Can we really estimate the impact of DNSchanger yet?

First the panic, then the accusations of hype. Can we really estimate the impact of DNSchanger yet?

First, the good news. If you're reading this, you probably don't have the DNSchanger problem, or else your ISP is kindly redirecting your DNS requests to a valid server, not the one that the FBI just took down.

If you aren't able to read this, I guess no-one can say we didn't try to warn you. Even, some might say (hi, @vmyths!) to the point of hype. Yes, the 'h' word has raised its head again, and no doubt it will all turn out to be fault of the anti-virus industry. However, the comparisons with AV hyping of Michelangelo – don't look at me, I was on the corporate customer side  of the fence at that point – aren't altogether to the point, and are actually based on misunderstanding of both issues. While some of the figures quoted may have been exaggerated for marketing persons, I can assure you that there was a genuine problem: in fact, I received a couple of PCs at that time direct from the manufacturer that were unequivocally infected. (Fortunately, I routinely scanned everything that came over my desk, irrespective of the source.) But as for the huge disparity between the predicted number of systems broken by Michelangelo and the actual reports of reports, all that I can say is that nobody really knew the number. Believe it or not, it's not easy to estimate the number of machines infected with anything for the obvious reason that we can't assess the health of those systems on which we have no software installed.

We do have an advantage we didn't have in the days of Michelangelo: we can sometimes make use of other types of telemetry (data measurements made remotely), especially in the case of certain types of botnet. In the case of the DNSchanger family, the maintenance of the (cleaned) DNS service left behind by the malware at least allowed us to count the number of unique IP addresses that were connecting to it.

That count is, however, not terribly accurate. The internet doesn't run on the basis of one IP address per system: in fact, one IP address may be the 'front end' or public address of many individual machines. That suggests that the numbers of infected machines (or cleaned machines with unrepaired/residual DNS settings) is higher than DNS Changer Working Group's estimates, right? So why are there (so far, at any rate, no floods of panicky reports of lost connections?

  1. ISPs are not necessarily in a rush to reveal the number of their customers affected. Bad news for the customer is bad news for the ISP, even if it's not a problem of the ISP's making.
  2. ISPs may already be redirecting requests to a valid server. Well, that's what I'd be trying to do if I was in that sector.
  3. Helpdesks may be a little too occupied with panicky phone calls to be too concerned right now about publicly releasing figures. In some cases, they may even be able to fix the problem without being fully aware of the cause.
  4. Not everyone spends as much time connected to the internet as I do, even in the age of mobile computing. (I would guess, in any case, that this isn't a problem for too many mobile device users – not, at any rate, till they get onto their PCs, if they have one.) So there may be anything from a trickle to a flood of unhappy users over the coming days or even weeks as less regular users discover that they suddenly have a problem. Especially as it seems that some people have, curiously, been advising potential victims not to connect today. Guys, the server isn't likely to be switched back on tomorrow!
  5. There may be other mitigating factors that we aren't aware of. All we really have to go on is those IP statistics: AV lab analysis and telemetry from AV product ranges aren't really the right tools for this kind of measurement. In fact, there isn't a 'right' tool.

So as @briankrebs so rightly said, this isn't Y2K. It's a little easier to generate some approximate metrics in this case, but you shouldn't expect too much: we don't know everything about everyone's system. In fact, I don't think the AV industry told you we did. At any rate, I hope not.

But what about all those people desperately asking for more information (or rather explanation – there's no shortage of information)? I've responded to as many of those requests posted as comments as possible, either directly or by email, but the blogging team can't generally offer one-to-one support: we don't have the time or the skillset to respond appropriately to some of the questions that have been raised – research skills and support skills often overlap, but good tech support is a skilled specialty in its own right.

And we really can't answer too many questions related to products that aren't ours. Sorry!

ESET Senior Research Fellow

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center