Recently, the Information Security News reported that the U.S. Federal Bureau of Investigation (FBI) will shut down those domain name server (DNS - Note 1) associated with the DNSChanger Botnet on July 9. What is the impact of this incident to the Internet users? Hong Kong Computer Emergency Response Team Coordination Center (HKCERT) would like to give some the background information of DNSChanger, method to detect infection and solution for the affected users to handle it in time.
The DNSChanger botnet malware has more than 2000 variants (Ref. 1). It is estimated that there are over four million infected computers worldwide, affecting more than 100 countries. This botnet allegedly operated by an IT company called “Rove Digital” in Estonia since 2007, until the mastermind of cybercrime ring being arrested in 2011 (Ref. 2).
What is the Impact of DNSChanger infection?
DNSChanger malware primarily spreaded when a user accesses a particular website or downloads online video viewer software and get infected. The DNSChanger malware will secretly alter the DNS settings on the affected computer pointing to the DNS server established by cybercrime ring to completely control DNS to resolve the desired IP address. Therefore, the cybercrime ring can use DNS Changer botnet to route the users to access specific web sites unknowingly, including replacing the advertisements on web sites that are loaded by users to generate click-fraud or implant other malicious software.
Why is it July 9?
In November 2011, in the "Operation Ghost Click" (Reference 3), FBI successfully shut down the DNSChanger Botnet. According to a court order, in order to avoid the infected computers to lost connection with Internet immediately, FBI was authorized to set up a number of temporary DNS server to maintain the DNS services for the victims to solve this issue within 120 days. This order would be expired on July 9, 2012. If FBI decide to close these temporary DNS servers as scheduled, several millions of the DNSChanger bots worldwide would not able to connect to the Internet. To properly handle this problem, we must help the victims to clean up the malware as soon as possible.
Am I affected?
The DNSChanger malware can infect the Microsoft Windows and Apple Mac OS X operating systems. It also attempted to use the default login name and password of the small office or home broadband routers to break in and changed the DNS settings. To check if your computer or broadband router is affected or not, you can use the following two methods:
Method 1 – Use the DCWG EyeChart:
Open the web browser (e.g. Internet Explorer, Firefox, Chrome or Safari) to access the testing site provided by DNS Changer Working Group (DCWG) (Ref. 3):
If the test result is green, indicating normal.
If the test result is red, indicating that your computer or broadband router's DNS server setting was pointed to the known rouge server. It is recommended to follow the instruction in "How to deal with the infected computer and Broadband Router” for detailed examination.
To check the DNS server IP address used by your broadband router, please refer to the documentation provided by the vendors.
How to deal with the infected computer and broadband router?
- Suggest to restore DNS setting of the infected computer to obtain it automatically. Please contact your ISP or IT administrators of your company to provide assistance.
- Due to the computer infected with DNSChanger malware may prevent it to update the system and security software database. It reduces its security protection and may cause to infect with other malwares, so you have to perform a complete malware scanning for your computer.
- Microsoft Windows
You can use the free Malware Scanner (online edition) URL listed in HKCERT website to check and clean up your computer.
Apple Mac OS X
You can install the following free malware scanner to check and clean up your computer.
- Microsoft Windows
- After clean up, use the above test method again to confirm domain name server settings is normal or not.
Suggest to follow the documentation provided by the vendors to reset the DNS server settings and change the password of default administrator account.
- DNS (Domain Name System) - A distributed database of domain names and IP addresses mapped to each other, can make people more convenient to access the Internet, without having to remember complicated and unfriendly IP address.