On March 8, 2012, for millions around the world Internet will be forcibly shut down! This comes as a consequence of a virus that got so big that it infected millions of computers and is still looming large!
The propagation of DNSChanger was no different from that of other malware. The malware authors learned early that by controlling a user’s DNS servers, they could control and interfere with the user’s Internet browsing habits. This was carried out by manipulating online ads through click jacking. The victims were unaware that their PCs had been compromised – or that the malware turned their PCs defenseless to a swarm of other viruses.
To understand how a DNSChanger works it helps to explore what DNS means and who the stakeholders are. Domain Name System (DNS) is an Internet service that converts domain names into the numerical Internet Protocol (IP) addresses that allow computers to communicate with each other. When you enter a domain name for example, http://www.india.gov.in in the address bar of your browser, your computer contacts DNS servers to determine the IP address for the website. This IP address is used to locate and connect to that website. DNS servers are operated by your ISPs (Internet Service Providers) and are included in your PC’s network configuration.
DNSChanger belongs to a class of malware that works in one of the two ways described below:
1. Alters the user’s DNS server settings to replace the ISP’s good DNS with rogue DNS servers operated by the criminals.
2. Internet devices like routers or home gateways are the targets. If you have a factory set password that is usually easy to break, then the chances are high that the malware can infect the system or a network by changing the DNS settings inside the router as well.
Additionally what the malware also does is that it prevents your PC from obtaining operating system and anti-malware updates – both crucial for protecting your PC from cyber threats. This also widens the possibility of more malware attacks.
When FBI made a crack-down on this botnet, approximately 4 million PCs in more than 100 countries had been compromised. The criminals had managed to mint $14 million in illicit fees! The replacement servers provided by the FBI were not supposed to remove the malware or other nefarious viruses that it may have aided – from infected computers. The sole purpose was to ensure that users do not lose DNS services.
Over half of Fortune 500 companies and 27 out of 55 government entities have at least one PC or router still infected with DNSChanger. Translating to about 500,000 live infections! Our malware team has reported over 70 variants to DNSChanger malware and thousands of positive cases in India alone.
Before the panic attack sets in, it is wise to understand the ways in which you can deal with this issue. First, the DNSChanger malware must be removed from the system/s. One should take a back-up of all important data and then remove the malware using good Antivirus software.
After this has been carried out, the DNS settings on all affected devices must be set to their correct values. You can seek assistance from your ISP for accurate DNS settings to be used.
If a network has been affected then the DNS settings all PCs on that LAN should be rectified. There are no sure fixes to the malware. There are several tools available that will allow you to change the DNS Settings but the rogue entries still remain in the router. To restore settings in the router you would have to either consult your product manuals or contact the manufacturer.
- A major Trojan Horse is lurking – coming soon to a computer near you (ravenit.com)
- FBI Shutting Down DNS Servers of the Day (geeks.thedailywh.at)
- FBI Report on DNSChanger Malware (bespacific.com)
- Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware (tenablesecurity.com)