How the DNSChanger malware works

Monday, 9 July, was supposed to be 'Internet Doomsday' when the US' Federal Bureau of Investigation (FBI) was to shut down servers associated with the DNSChanger malware. As a result, computers infected with this threat were to be cut off from the Internet.

According to an IDG report, the FBI estimated that only 41,800 computers remained infected by DNSChanger as of Sunday night, and some Internet service providers have been offering their own solutions to keep customers online.

So far, the cutoff day has been free of catastrophes, reports the IDG. We asked Eugene Teo, manager, security response, at Symantec, about this malware and how it was going to affect computers in Asia.

FBI will shut down servers associated with the DNSChanger malware. Will this affect servers and computers in the Asia Pacific region?

Yes it will. According to DNSChanger Working Group (DCWG), globally there are at least 210,851 unique Internet protocol (IP) addresses as of 8 July 2012, of which 619 are from Singapore, still being redirected to the rogue DNS servers now being controlled by the FBI. Our research has found the DNSChanger malware to affect computer systems operating on Windows and Mac only. It is also worth noting that the volume of "unique IPs talking to the clean DNS servers" under counts the total number of infections while the estimates built around unique browser IDs demonstrate a higher total infection count.

While it seems as if FBI has rectified the issue, shutting down the temporary server is only a temporary measure. Once that happens, computers that are still compromised will lose connectivity to the Internet in its entirety. In other words, infected PCs and servers will no longer be able to connect to any websites.

How serious is this threat? Why does FBI want to take this extreme step? And does FBI, a US federal government agency, have the authority to do it at a global level?

While we're unable to determine FBI's motivation, the fact that there are globally at least 210,851 unique IP addresses still being redirected to the rogue DNS servers indicates that many users have a chance of experiencing complete Internet outage if they remain unaware of this infection.

Can you tell us a little about the DNSChanger malware? What about its origins and what does it do?

DNSChanger is a malware that changes the Domain Name System (DNS) settings on the compromised computer. Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name "Rove Digital" and used the malware to manipulate users' Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users' anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet's command-and-control (C&C) servers as part of Operation Ghost Click and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer's network configuration.

This figure shows how DNS works.

With the ability to change a computer's DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP's legitimate DNS server's address to the rogue DNS server's address, in this case, advertisement websites.

This figure shows how the DNSChanger malware works.

What can individuals or companies do to avoid facing an Internet blackout?

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Users can go to the DNS Changer Check-Up page, maintained by the DCWG, to determine whether their computer is compromised or not. There are other pages in various languages maintained by other organisations listed on the DCWG's Detect page. Various organisations are proactively informing users that their computers are compromised by DNSChanger. The FBI has also put together instructions on how to determine manually if a computer has been compromised or not.

If users suspect that their system may have been compromised, they can use Norton Power Eraser, a free tool from Symantec to further analyse and remove any malware on their PCs.

Symantec customers can also refer to the following instructions (for the full details please visit here), applicable to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines:

i. Disable System Restore.

ii. Update the virus definitions.

iii. Run a full system scan.

iv. Delete any values added to the registry.

v. Delete the entries added to the RAS phonebook file.

In addition, for home users, Symantec offers a free public DNS service called Norton ConnectSafe that combines a reliable Web browsing experience with basic security features integrated. Users can activate Norton ConnectSafe by setting their DNS server addresses to the Norton DNS servers. For the full details, please visit here.

Eugene Teo is manager, security response, at Symantec.


Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon