What Can We Learn from Malware Monday?

Over the past few weeks, global news outlets have been warning users about Malware Monday and the pending Internet shutdown on July 9, 2012, for computers still infected with the DNSChanger malware. While the issue is certainly real, this blogger believes many headlines were (and still are) too alarmist. Can we learn anything from this?

by / July 7, 2012

Over the past few weeks, global news outlets have been warning users about Malware Monday and the pending Internet shutdown on July 9, 2012, for computers still infected with the DNSChanger malware. While the issue is certainly real, this blogger believes many headlines were (and still are) too alarmist.

For example, I view much of this material as “Fear, Uncertainty and Doubt” (FUD):

NY Daily News: How to avoid Monday’s Malware Meltdown? (I like the picture of a dark room full of computers with one user PC working.)

Discovery News: Malware May Kill Your PC (Other sites linking to this story added the word “massive” up front. Nice.)

ArticleCell.com : Could Your PC be Heading to Malware Armageddon on July 9? (Armageddon, really?)

Even, our own … Government Technology:  Are you safe from Internet Doomsday?

I find most of these articles to be somewhat informative, attention-grabbing and overblown in spreading fear. I worry that we are using up our (very few) cybersecurity industry silver bullets on the wrong Internet “crisis.” There are plenty of very, very serious problems online right now, but I would not put Malware Monday at (or near) the top of the list.

One could even make the argument that this malware event is even self-imposed, in that the FBI is turning off servers which they could leave running a bit longer to avoid “Monday’s Malware Meltdown.” Note: I’m writing this article on Saturday, July 7, and the courts could still order more time before the FBI turns off the servers.

Indeed, I could argue this "hold off a bit longer" point from either side, and there are polls which ask if the FBI should allow more time.  Almost 90% of those taking the survey think it is time for the FBI to pull the workaround plug – and several good articles give reasons why.

All signals point to an event Monday that will impact a few thousand people who haven’t been paying attention but not the majority of us. I will be shocked if any major U.S. companies are paralyzed or out of business on Monday morning because of DNSChanger malware problems.

How Should We Prepare?

I like the tone of National Public Radio (NPR), which led with the headline: Malware Monday Just Another Day on the Internet for Most of Us.

The article begins, “Beware of Malware Monday on the Internet, but don’t be too concerned.”

If you still want to check your PC’s status, visit: www.dcwg.org or even easier www.dns-ok.us

In Michigan government, we have been working this problem since last year, and we have been coordinating action with the FBI and MS-ISAC – like most state and local governments. We also sent out notices to our customers and agency public information officers (PIOs) about the situation and what to do in the event of a problem on Monday. We believe that we are ready.  

What Can We Learn From Malware Monday?

I'm taking a bit of a chance by writing lessons learned about an upcoming event that hasn’t even played-out yet, but I believe that I can safely mention some items. I am making a few assumptions about what will likely happen, specifically that some people will lose Internet access, but most people will be fine online.

Nevertheless, here are seven enterprise takeaways from the handling of the overall DNSChanger situation:

1)      DON’T be a laggard regarding known Internet fixes - Follow industry guidelines and accepted practices in resolving malware and you won’t have to worry about these fix deadlines. (Most companies resolved this issue many months ago and are not very concerned about this Monday.)

2)      Workarounds may still be around (and last) longer than you think. Ask the FBI, who wanted to turn off their “temporary fix” back in March. These types of situations come up fairly often in large enterprises, especially if we are supporting legacy systems and older technology.

3)      Beware public decrees of “Internet Doomsdays.” Cut back on internal FUD, where possible. Over time, these global pronouncements sound as if we are crying wolf, if we are not careful. Indeed, many of our customers already believe that we declare a crisis multiple times a year. They are starting to yawn.

4)      DON’T – Over-react to headlines and claims. Do your homework. How will this affect your enterprise? Coordinate with all relevant parties to understand roles / responsibilities.

5)      DO – use well-researched facts to calmly deliver timely messages to customers when needed. Help them understand the ramifications at both home and work. What can they do to resolve the situation? How can they prepare? What are you doing? What’s next?

6)      DO – Communicate in informal and formal ways. Become a trusted partner who can decipher scary headlines for users. Make lemonade out of the lemons. Use the front-page stories to get your key messages out – while everyone is hearing about these topics on the front pages of USA Today and the Washington Post and on TV.   

7)      DO - Test plans, run exercises, use scenario planning and more to be ready in case the “what if” worst case does happen. Or, are you truly prepared for outages, disasters and more? Talk to your teams and various options and solutions.

In conclusion, I like this quote from Zig Ziglar. “Expect the best. Prepare for the worst. Capitalize on what comes.”


UPDATE: Monday, July 9, 2012 at 7 AM (EST) - So far there have been minimal reported disruptions online related to Malware Monday and DNSChanger. We are still too early for final judgments, but so far so good regarding the Internet's overall functioning. There continue to be scary headlines and articles being displayed this morning from global news organizations and newspapers, such as Malware on Monday Update: Internet Service Providers brace for shutdown calls. Top searches continue to lead to this article from July 6, from the United Kingdom: Could the Internet Really Shut Down?  


UPDATE: Monday, July 9, 2012 at 6 PM (EST) - As expected, reports of impacts on the Internet from Malware Monday have been minimal - even a bit less than I anticipated overall. ISPs are playing down any service disruptions that have been experienced by their customers. It is now clear that the doomsday scenarios were hype regarding DNSChanger. Yes, the threats successfully received global press attention, but these widespread headlines may cause future (real) Internet alarms to be ignored. I certainly stand behind the above "lessons learned" - with even more conviction now.  


FINAL UPDATE: Tuesday, July 10, 2012 at 6 AM (EST) - Malware Monday officially ended a few hours ago, and the LATimes reported that the DNSChanger Malware may have affected about 47,000 Americans -who had difficulty connecting to the Internet. The news surrounding the event was mostly hype, according many news sources. Time to move on to new topics.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso

Platforms & Programs