Published Date: 2012-05-25
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in July 2012. [13536, 13350, 12179, 13299] Estimation: - Article 13536 was published on 2012-07-05, reporting that the internet shutdown due to the malware was set to happen on Monday, July 9. - Article 13350 was published on 2012-07-09, mentioning that the FBI would be blocking up to 500,000 users affected by the malware. - Article 12179, published on 2012-05-25, discussed the impending shutdown on July 9. - Article 13299, published on 2012-07-05, provided details about the DNSChanger malware affecting tens of thousands of users, with the FBI planning to pull the plug on July 9. |
| System | 1. Alureon/DNS Changer bot software [13536, 13350, 12179, 13299] 2. DNSChanger malware [13350, 13299] |
| Responsible Organization | 1. International hackers who ran an online advertising scam to take control of infected computers worldwide [Article 12179] 2. Eastern European cyber-criminals who created the malicious program DNSChanger, affecting up to 500,000 users worldwide [Article 13350] 3. Hackers who infected a network of over 570,000 computers worldwide with the DNSChanger malware, redirecting users to fake advertising websites [Article 13299] |
| Impacted Organization | 1. Individual computer users worldwide, including those in the United States, who were infected with the Alureon/DNS Changer bot were impacted by the software failure incident [13536, 13350, 12179, 13299]. 2. Fortune 500 companies, with around 50 companies still having infected machines, were also affected by the software failure incident [13536, 13350, 13299]. |
| Software Causes | 1. The software cause of the failure incident was the 'Alureon/DNS Changer bot' malware that infected hundreds of thousands of computers worldwide, attempting to steal personal and financial information [13536, 13350]. 2. The DNSChanger malware, which redirected users to fake advertising websites, was another software cause of the failure incident affecting up to 500,000 users worldwide [13350, 13299]. |
| Non-software Causes | 1. The failure incident was caused by an online advertising scam run by international hackers to take control of infected computers worldwide [Article 12179]. 2. The malware infected computers by taking advantage of vulnerabilities in the Microsoft Windows operating system [Article 12179]. 3. The malware prevented infected machines from downloading operating system and antivirus security updates [Article 13299]. 4. The malware redirected victims' web browsers to sites designated by the attackers to earn affiliate and referral fees [Article 13299]. 5. The malware altered the DNS server settings on infected machines to direct victims' browsers to specific websites [Article 13299]. |
| Impacts | 1. The software failure incident involving the Alureon/DNS Changer malware led to the potential loss of internet access for up to 500,000 users worldwide, including around 64,000 in the United States [Article 13350]. 2. The malware infected more than half a million machines worldwide, causing web browsers to be redirected to malicious sites and preventing users from downloading operating system and antivirus security updates [Article 13299]. 3. The FBI's temporary solution of using clean Internet servers to handle requests from infected machines will be shut down, potentially leaving those still infected unable to access the internet [Article 12179]. 4. The malware affected around 50 Fortune 500 companies, highlighting the widespread impact on both individual users and large corporations [Article 13536]. |
| Preventions | 1. Regular software updates and patches to fix vulnerabilities in the operating system could have prevented the DNSChanger malware incident [Article 13299]. 2. Improved user awareness and education about malware risks and safe browsing practices could have helped prevent the spread of the DNSChanger malware [Article 12179]. 3. Stronger cybersecurity measures and proactive monitoring by internet service providers and companies could have detected and mitigated the malware infection earlier [Article 13350]. 4. Timely removal of the malware from infected computers by using recommended virus scanner and removal software could have prevented the internet shutdown caused by the DNSChanger malware [Article 13536]. |
| Fixes | 1. Users can visit the FBI-approved site http://www.dns-ok.us to check if their computers are infected and see if they get an 'all-clear' green background or an 'at risk' red background. If they have a red background, they can visit http://www.dcwg.org/fix for free virus scanner and removal software recommendations like Microsoft Windows Defender and Avira [13536, 13350, 12179, 13299]. 2. Internet service providers can assist infected users by providing technical solutions to correct the server problem that could affect some computers after the shutdown. This may help restore internet connectivity for affected users [13350]. 3. Users can contact their internet service providers for help deleting the malware and reconnecting to the internet if their computers are still infected on Monday [13536, 13350]. 4. The DNSChanger Working group has set up a website to allow users to determine if their machines are infected. Users can visit the site and see if they have a green background (indicating no infection) or a red background (indicating infection) [13299]. | References | 1. FBI [13536, 13350, 12179, 13299] 2. Internet service providers [13536, 13350, 12179, 13299] 3. Google [12179, 13299] 4. Facebook [13536, 12179, 13299] 5. Internet Systems Consortium [12179, 13299] 6. Malwarebytes [12179] 7. Internet Identity [13299] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | multiple_organization | (a) The software failure incident related to the DNSChanger malware has happened again at multiple organizations. The incident involved infected computers being redirected to fake advertising websites, affecting a significant number of users worldwide [Article 13350]. The malware infected more than half a million machines worldwide, leading to financial gains for the attackers through fraudulent activities [Article 13299]. (b) The incident also occurred at other organizations, including about 50 Fortune 500 companies that were still infected with the malware [Article 13536]. Additionally, the malware affected 12% of the top 500 U.S. firms, indicating a widespread impact across various organizations [Article 13350]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the articles. The incident was caused by the DNSChanger malware, which infected more than half a million machines worldwide. The malware was created by Eastern European cyber-criminals who ran an online advertising scam to take control of infected computers around the world [Article 13350]. The malware altered the DNS server settings on infected machines to direct victims' browsers to sites that paid a fee to the criminals, leading to unauthorized redirection of users to fraudulent websites [Article 13299]. (b) The software failure incident related to the operation phase is evident in the articles as well. The FBI took the unusual step of setting up a 'safety-net' by routing infected machines through their server to stop the 'spoof' attacks caused by the Alureon/DNS Changer bot [Article 13536]. Additionally, infected users faced difficulties in accessing websites they wanted to visit due to the shutdown of malicious servers, leading to an operational failure in internet connectivity [Article 13299]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the Alureon/DNS Changer malware was primarily within the system. The malware infected computers by taking advantage of vulnerabilities in the Microsoft Windows operating system, installing malicious software that turned off antivirus updates and changed the way computers reconcile website addresses behind the scenes on the Internet's domain name system [Article 12179]. The malware also redirected users to fake advertising websites, causing financial harm and posing a threat to personal information security [Article 13536]. (b) outside_system: The software failure incident was also influenced by factors outside the system. The FBI took action to set up a 'safety net' using government computers to prevent Internet disruptions for infected users, showing an external intervention to mitigate the impact of the malware [Article 12179]. Additionally, Internet service providers and tech companies like Google and Facebook played a role in warning users about the malware and providing solutions to address the issue [Article 13350]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident was caused by the DNSChanger malware, which infected more than half a million machines worldwide [Article 13299]. - The malware redirected users' web browsers to sites designated by the attackers, allowing them to earn money through affiliate and referral fees [Article 13299]. - The malware also prevented infected machines from downloading operating system and antivirus security updates, making the machines more vulnerable to other problems [Article 13299]. - The FBI took steps to prevent Internet disruptions for infected users by setting up a safety net using government computers, which will be shut down on July 9, leading to potential internet connection issues for infected users [Article 12179]. (b) The software failure incident occurring due to human actions: - The DNSChanger malware was created by Eastern European cyber-criminals [Article 13350]. - The malware was part of an online advertising scam run by hackers to take control of infected computers worldwide [Article 12179]. - The FBI and other authorities arrested individuals involved in running the clickjacking operation related to the malware [Article 13299]. - The malware scheme involved wire fraud and other computer-related crimes, leading to charges against several individuals from Estonia and Russia [Article 13299]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident involving the DNSChanger malware was a result of hackers infecting a network of over 570,000 computers worldwide by taking advantage of vulnerabilities in the Microsoft Windows operating system [Article 12179]. - The malware redirected users to fake advertising websites and prevented infected machines from downloading operating system and antivirus security updates [Article 13299]. (b) The software failure incident occurring due to software: - The incident was primarily caused by the DNSChanger malware, which was a piece of malicious software designed to redirect users to fraudulent websites and prevent them from accessing the internet [Article 13350]. - The malware altered DNS server settings on infected machines to direct users' browsers to specific sites that paid a fee to the attackers [Article 13299]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident in the articles is malicious in nature. The incident involved malware known as Alureon/DNS Changer and DNSChanger, which were intentionally created by cyber-criminals to infect computers and redirect users to fake websites for the purpose of stealing personal and financial information [13536, 13350, 12179, 13299]. The malware also prevented infected machines from downloading operating system and antivirus security updates, further indicating malicious intent [13299]. The FBI took action to block infected computers and set up a safety net to prevent Internet disruptions for infected users, showing that the incident was a deliberate attack by hackers [12179]. The malware scheme involved infecting a large network of computers worldwide, redirecting browsers to fraudulent websites, and earning profits from advertisements, highlighting the malicious nature of the software failure incident [12179, 13299]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident was not due to poor decisions but rather a deliberate action taken by the FBI to address a malware threat. The FBI took the unusual step of setting up a 'safety-net' by routing infected machines through their server to stop the 'spoof' attacks caused by the Alureon/DNS Changer bot [13536]. Similarly, the FBI seized control of command-and-control servers used in the DNSChanger malware operation and installed replacement servers to handle requests from infected machines to prevent internet disruptions for infected users [12179, 13299]. (b) The software failure incident was not a result of accidental decisions but rather a response to a malware threat that required deliberate actions to mitigate. The FBI's actions, such as setting up replacement servers and warning users about the malware, were intentional efforts to address the issue [12179, 13299]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development_incompetence: - The incident involving the Alureon/DNS Changer malware was a result of hackers running an online advertising scam to take control of infected computers worldwide by exploiting vulnerabilities in the Microsoft Windows operating system [Article 12179]. - The malware, DNSChanger, redirected users to fake advertising websites and prevented infected machines from downloading operating system and antivirus security updates that could detect and stop the malware [Article 13299]. (b) The software failure incident occurring due to accidental factors: - The FBI took the unusual step of setting up a 'safety-net' by routing infected machines through their server to stop the 'spoof' attacks caused by the Alureon/DNS Changer malware [Article 13536]. - The FBI and other authorities seized control of rogue servers used by hackers in the DNSChanger malware operation, but realized that shutting down these servers would lead to infected machines losing internet access, prompting the installation of replacement servers to handle requests from infected machines [Article 13299]. |
| Duration | temporary | (a) The software failure incident in the articles is temporary. The incident involves the FBI setting up a temporary system to handle infected computers before shutting it down on a specific date, which would result in those still infected losing internet access [13536, 13350, 12179, 13299]. |
| Behaviour | crash, omission, timing, value, byzantine, other | (a) crash: - The software failure incident related to the Alureon/DNS Changer bot resulted in a potential crash scenario where infected users could lose their internet connection without warning when the FBI shut down the servers routing their traffic [Article 13536]. - The FBI set up a safety net using clean Internet servers to prevent Internet disruptions for infected users, but this temporary system was scheduled to be shut down, potentially leading to a crash scenario for those still infected [Article 12179]. (b) omission: - The DNSChanger malware, which infected more than half a million machines worldwide, redirected users' web browsers to sites designated by attackers, potentially omitting to perform the intended function of directing users to legitimate websites [Article 13299]. (c) timing: - The FBI took the unusual step of setting up a 'safety-net' to route infected machines through their server to stop the 'spoof' attacks, but this protection was scheduled to end on a specific date (Monday) [Article 13536]. - The FBI intended to pull the plug on the replacement servers handling requests from infected machines on July 9, potentially causing a timing issue for users still infected with the malware [Article 13299]. (d) value: - The DNSChanger malware prevented infected machines from downloading operating system and antivirus security updates, potentially leading to a value failure where the system did not perform its intended function correctly [Article 13299]. (e) byzantine: - The DNSChanger malware altered the DNS server settings on infected machines to direct victims' browsers to sites that paid a fee to the attackers, showcasing a byzantine behavior with inconsistent responses and interactions [Article 13299]. (f) other: - The software failure incident involved a scenario where infected users were at risk of losing internet access due to the malware, which could be categorized as a potential denial of service or disruption of service incident [Article 13350]. - The malware incident involved a complex network of infected computers worldwide, highlighting a scenario where the system's behavior was intertwined with criminal activities and financial gains, which could be considered as a unique aspect of the failure incident [Article 12179]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident related to the Alureon/DNS Changer malware impacted users' computers by redirecting them to fake advertising websites in an attempt to steal personal and financial information. The malware also prevented infected machines from downloading operating system and antivirus security updates, making the machines more vulnerable to other problems. Additionally, the malware altered the DNS server settings on infected machines to direct users' browsers to specific sites designated by the attackers, allowing the attackers to earn money from affiliate and referral fees [Article 13299]. The FBI took steps to address the issue, including setting up a safety net using government computers to prevent Internet disruptions for infected users, but this system was eventually shut down, leading to potential loss of internet access for those still infected [Article 12179]. |
| Domain | information, government | (a) The software failure incident was related to the industry of information, specifically affecting internet users who were at risk of losing access due to the DNSChanger malware [Article 13350, Article 12179, Article 13299]. (b) The transportation industry was not directly impacted by the software failure incident. (c) The natural resources industry was not directly impacted by the software failure incident. (d) The sales industry was not directly impacted by the software failure incident. (e) The construction industry was not directly impacted by the software failure incident. (f) The manufacturing industry was not directly impacted by the software failure incident. (g) The utilities industry was not directly impacted by the software failure incident. (h) The finance industry was not directly impacted by the software failure incident. (i) The knowledge industry was not directly impacted by the software failure incident. (j) The health industry was not directly impacted by the software failure incident. (k) The entertainment industry was not directly impacted by the software failure incident. (l) The government industry was indirectly impacted by the software failure incident as government agencies were mentioned to have infected computers with the DNSChanger malware [Article 13299]. (m) The software failure incident was not related to an industry outside of the options provided. |
Article ID: 13536
Article ID: 13350
Article ID: 12179
Article ID: 13299