DNSChanger: How To See If You’re Infected, How To Fix It If You Are.
On Monday, July 9th, the FBI will pull the plug on internet access to hundreds of thousands of computers infected with a malware Trojan known as DNSChanger. Even if your computer is clean, companies that have compromised systems in their network will be taken offline, hindering their ability to do business and possibly breaking their websites, in what many are referring to as “Internet Doomsday.”
In November 2011, the FBI (together with international cyber crime agencies) identified and located a ring of cyber criminals that had infected more than four million computers across the world with a Trojan virus known as DNSChanger. According to the FBI’s webpage about this malware (www.fbi.gov/news/stories/2011/november/malware_110911), “DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity.”
Systems infected with DNSChanger were ultimately controlled by the crime ring that perpetrated the infections. The Trojan re-directed unsuspecting users to fraudulent websites which in many cases resulted in users providing personal information or credit card numbers to websites they thought were legitimate. It interfered with web browsing and in some cases prevented infected PCs from downloading anti-virus and operating system updates, leaving them vulnerable to viruses and spyware.
Once the rogue DNS servers were found and seized, the FBI faced a daunting challenge. Take them offline and millions of systems would lose all access to the internet causing widespread damage to online commerce and business functionality. Instead, they set up temporary replacement servers which allowed infected computers to remain functioning in the hopes that users would clean the Trojan off their system before the temporary servers go offline on July 9th.
To a certain extent, this plan worked. According to DNSChanger Working Group, or DCWG (http://www.dcwg.org), the number of infected systems has declined from over 4 million to just over 300,000 worldwide. However, since the DCWG measures infections by IP addresses and not individual systems, the number could be higher. Brian Krebs of “Krebs on Security” (http://krebsonsecurity.com) states in his blog, “Because many systems that are on the same local network often share the same IP address, the actual number of DNSChanger-infected machines is probably quite a bit higher than 300,000.” In May, Google used cookies on infected machines to estimate that the number is more than 500,000.
Perhaps more troublesome, a report by IID (Internet Identity) indicates that machines at 12% of Fortune 500 companies and 4% of government agencies are still infected with the malware (http://internetidentity.com/news/blog/686-iid-finds-12-of-fortune-500-still-infected-with-dnschanger#). When their systems are taken offline on the 9th it will lead to loss of productivity and may make it harder to service their customers.
Facebook and Google are sending notices to users that browse to their sites from a DNSChanger-infected computer. However, even if you haven’t been notified of an infection you shouldn’t breathe a sigh of relief and consider yourself in the free and clear.
When the FBI disables the temporary servers it will break infected system’s access to the internet but it will not remove the malware from those systems. Take a few minutes to ensure that you’re not kicked offline on July 9th.
First, open your internet browser and go to www.dns-ok.us. If your system is infected you’ll see a red image with the words “DNS Resolution = RED.” Alternatively, a green image with “DNS Resolution = GREEN” means that your computer is looking up IP addresses correctly. Unfortunately, a green isn’t necessarily an all clear either. Some internet service providers have created their own mini-DNSChanger servers which allow infected systems to bypass the FBI servers to access the internet. This means that while you won’t lose access to the internet on the 9th you may still be infected.
Next, if you don’t have a reputable antivirus software program installed on your system, get one. I like Microsoft Security Essentials (http://windows.microsoft.com/en-US/windows/products/security-essentials) because it scans for and protects against malware and viruses in one step. The DCWG’s website, www.dcwg.org, also offers a list of links to download software to rid your system of the Trojan.
Finally, make sure your anti-virus is up to date. You’d be surprised how many users cripple their anti-virus by not downloading updates regularly. Once it’s up-to-date, run a scan to make sure you’re DNSChanger free before finding out the hard way.
Still worried that your system is part of a malware-infected bot net? Get in touch with us at www.callnerds.com/nerdchick
Check out the news coverage about the DNS Changer on KRCR News Channel 7 in Redding.