Why computers infected with DNSChanger could lose Internet access
- By William Jackson
- Feb 22, 2012
A court order giving the FBI temporary power to operate a group of rogue Domain Name System servers used in a criminal click-jacking operation will expire March 8. If those servers go offline as expected, computers still infected with malware directing DNS requests to those addresses will be effectively cut off from the internet.
This gives administrators and home PC owners two more weeks to identify and remove DNSChanger malware that infected as many as 4 million computers in more than 100 countries. The FBI estimates that there were 500,000 infections in the United States.
The shutdown of the international click-jacking ring took place in November with the arrest of six Estonians who were charged with Internet fraud. They are accused of using DNSChanger to direct DNS queries to their own servers, which directed traffic to malicious Web sites. To protect the online access of infected computers, the FBI received a federal court order to continue operating the servers for 120 days.
FBI busts clickjacking ring, but could the crime have been prevented?
SOPA undercuts Internet security, experts say; lawmakers float alternative
“It provided a workaround that is about to go away,” said Brian Jacobs, senior product manager for Ipswitch's Network Management Division. The 120-day window gave time to remove the malware so that queries would be sent to legitimate DNS servers by the time the rogues are shut down. If the window is not extended by the court, those who ignore the opportunity will be out of luck.
The question now is how many computers remain infected? Although researchers claim to have found widespread infections remaining—security company Internet Identity has said it found evidence of at least one DNSChanger infection on half of all Fortune 500 companies and 27 major government organizations — there are no numbers that can be counted on.
“I would suspect probably the majority have been remediated,” Jacobs said.
But nobody believes that all have been fixed, and some users will be in for a rude awakening on March 8.
“If they do shut off the servers, there will be an impact,” said Mark Beckett, a marketing vice president at Secure64. Those impacted will have no one to blame but themselves, he said. “There are tools available to remove the Trojan.”
The criminals began using DNSChanger in 2007 and by using it to redirect traffic and manipulate online advertising were able to generate at least $14 million in illicit fees. In some cases the malware would also block security updates, preventing antivirus software from finding and removing the infection.
When the ring was busted it was necessary to protect the victims who were relying on the rogue servers for DNS services. The Internet Systems Consortium, a non-profit organization that operates the F-Root, one of 13 root DNS servers on the Internet, was named receiver to operate the servers for 120 days. This provided breathing space, but it remains up to administrators and owners to remove the infections.
The IP addresses of the rogue servers scheduled to be shut down are:
- 188.8.131.52 through 184.108.40.206
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
The FBI has provided information on DNSChanger with instructions for determining if a computer is infected. Up-to-date virus scans should be able to detect and fix infections. Users also can check DNS settings to see if they are being directed to one of the rogue server addresses. Network traffic also can be monitored to identify requests that are being sent to these addresses.
“Shame on any network that hasn’t gotten with the program at this late date,” said Jacobs.
Some observers argue that the court order should be extended until infections are cleaned up. Others point out that some infections never are remediated until administrators are forced, and that shutting down the rogue servers is an appropriate way to force their hands.
Whether you agree or disagree, it would serve you well to determine by March 8 whether any computers under your control are infected with DNSChanger.
William Jackson is freelance writer and the author of the CyberEye blog.