Why computers infected with DNSChanger could lose Internet access

A court order giving the FBI temporary power to operate a group of rogue Domain Name System servers used in a criminal click-jacking operation will expire March 8. If those servers go offline as expected, computers still infected with malware directing DNS requests to those addresses will be effectively cut off from the internet.

This gives administrators and home PC owners two more weeks to identify and remove DNSChanger malware that infected as many as 4 million computers in more than 100 countries. The FBI estimates that there were 500,000 infections in the United States.

The shutdown of the international click-jacking ring took place in November with the arrest of six Estonians who were charged with Internet fraud. They are accused of using DNSChanger to direct DNS queries to their own servers, which directed traffic to malicious Web sites. To protect the online access of infected computers, the FBI received a federal court order to continue operating the servers for 120 days.


Related stories:

FBI busts clickjacking ring, but could the crime have been prevented?

SOPA undercuts Internet security, experts say; lawmakers float alternative


“It provided a workaround that is about to go away,” said Brian Jacobs, senior product manager for Ipswitch's Network Management Division. The 120-day window gave time to remove the malware so that queries would be sent to legitimate DNS servers by the time the rogues are shut down. If the window is not extended by the court, those who ignore the opportunity will be out of luck.

The question now is how many computers remain infected? Although researchers claim to have found widespread infections remaining—security company Internet Identity has said it found evidence of at least one DNSChanger infection on half of all Fortune 500 companies and 27 major government organizations — there are no numbers that can be counted on.

“I would suspect probably the majority have been remediated,” Jacobs said.

But nobody believes that all have been fixed, and some users will be in for a rude awakening on March 8.

“If they do shut off the servers, there will be an impact,” said Mark Beckett, a marketing vice president at Secure64. Those impacted will have no one to blame but themselves, he said. “There are tools available to remove the Trojan.”

The criminals began using DNSChanger in 2007 and by using it to redirect traffic and manipulate online advertising were able to generate at least $14 million in illicit fees. In some cases the malware would also block security updates, preventing antivirus software from finding and removing the infection.

When the ring was busted it was necessary to protect the victims who were relying on the rogue servers for DNS services. The Internet Systems Consortium, a non-profit organization that operates the F-Root, one of 13 root DNS servers on the Internet, was named receiver to operate the servers for 120 days. This provided breathing space, but it remains up to administrators and owners to remove the infections.

The IP addresses of the rogue servers scheduled to be shut down are:

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

The FBI has provided information on DNSChanger with instructions for determining if a computer is infected. Up-to-date virus scans should be able to detect and fix infections. Users also can check DNS settings to see if they are being directed to one of the rogue server addresses. Network traffic also can be monitored to identify requests that are being sent to these addresses.

“Shame on any network that hasn’t gotten with the program at this late date,” said Jacobs.

Some observers argue that the court order should be extended until infections are cleaned up. Others point out that some infections never are remediated until administrators are forced, and that shutting down the rogue servers is an appropriate way to force their hands.

Whether you agree or disagree, it would serve you well to determine by March 8 whether any computers under your control are infected with DNSChanger.

 

Reader Comments

Fri, Feb 24, 2012 fedgirl Dallas

So well said, Atlanta. I am Federal IT, and this is the first that I have heard of it. When my home computer started having problems back in December, I searched the internet for possible new malware and this was not even mentioned. Looks like the FBI also did a good job of hiding it. And, I certainly DO NOT lack internet security.

Thu, Feb 23, 2012 DJB Denver

Why wait? Turn 'em off now and give all the compromised systems that much more time to fix the problem.

Thu, Feb 23, 2012 fritz

This article should have been published on the 9th of March and not today. Alerting these rogue DNS servers that their addresses will be blocked on the 8th of March today is useless. I just read recently about one rogue trojan horse site changed their IP address 2500 times in one day. A Predator missle would make a permanant change in network traffic from these rogue sites

Thu, Feb 23, 2012 Atlanta

"Those impacted will have no one to blame but themselves." What? This is the first I've ever heard of it! Lucky I noticed this article in my GCN update E-mail so I could get the instructions on how to check for it.

Wed, Feb 22, 2012 kalihto

With the absence of internet security.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above