Up to 100,000 customer modems are at risk of losing their internet connection from July 9 when the FBI disables rogue DNS servers seized late last year.
The affected customer modems make up about a third of the 350,000 to 400,000 internet users believed to still have the DNSChanger malware on either their modems or Windows computers.
The FBI believes that up to four million users were infected at the height of the Estonian advertising scam, which redirected legitimate searches by computer users to malicious sites via rogue DNS servers located in Chicago and New York.
|Complete coverage of AusCERT 2012|
Six Estonian nationals have been arrested and are currently subject to extradition procedures to face charges in the United States.
US authorities have interim control of the rogue DNS servers but expect to shut them down on July 9, after a four-month court ordered extension of the program expires.
Any computer still infected with DNSChanger - believed to be more than 300,000 users in July - will not be able to connect to the internet.
The modem problem
While remediation support for infected users had largely focused on solving the Windows infection, Paul Vixie of the Internet Systems Consortium told AusCERT 2012 attendees this week that internet service providers would have to "truck-roll" new modems to those believed to be affected by the malware outside their PC.
"The CPE [customer premises equipment] - the DSL or cable modem - tends to be one of a small number of things that all come out of Taiwan or that part of the world and even if they're made by different companies they will have a similar web interfaces when viewed from the inside," he said.
The scammers, he said, "scripted [the web] interface and changed the DNS settings in the CPE".
He noted it was "very difficult to get these re-programmed".
Vixie and the ISC have a direct contract with the FBI to coordinate the investigation, which ultimately lead to police seizing the rogue DNS servers and operating them while they attempt to remove remaining infections worldwide.
Internode chief technology officer John Lindsay told SC Magazine the iCode framework, developed by the Internet Industry Association in 2010 and implemented by major service providers, proved effective in dealing with those affected at both the PC and modem level.
Those modems found to have changed DNS settings on Internode's network specifically are flashed with factory settings or new firmware. In some cases, Lindsay said the ISP preffered to replace the infected modem with newer equipment to avoid further problems.
"We have probes in our network that look for these sorts of problems and contact customers who appear affected and provide assistance to fix the problem and help them prevent future incidents," he said.
The action taken by Internode differs from the "walled garden" approach suggested in the framework.
While take-down of the DNS servers was "carefully choreographed" between the FBI and Estonian police, Vixie conceded that fixing the continued problem of infected computers and modems had not been great.
The 300,000 users believed to retain the infection on July 9 would leave internet service providers with a growing support problem, he said.
The underlying botnet malware used in the scam, Alureon, also remains at large with the potential to infect more computers in future.
"We didn't put any time into how remediation was going to work or how we were going to do the charts and diagrams and population estimates," he said.
"We had none of that in place on day one. after we had the name servers running and we were collecting the data someone finally said 'shouldn't we be analysing this?'"
Like the similarly malicious Conficker botnet, which still boasts six million victims, Vixie said the issue remained in user trust.
"They don't trust us, they don't know us... they don't trust their ISP," he said.
"Their plan, if you can dignify it with the name plan, is to just keep using their computer until it doesn't work anymore, and then they'll buy a new one."
The saving grace for Vixie, he said, was that the scammers behind DNSChanger could have been "much more evil than they were".