Friday, July 06, 2012

Will DNSChanger take down your Internet access on Monday?

If you haven't heard of the DNSChanger malware, you probably aren't alone. That said, DNSChanger should concern you, at least enough to run a quick check.  Otherwise, your Internet access might go dark on Monday.

Kaspersky Anti-Virus 2012
To understand the threat, you should first understand what DNS stands for. It stands for Domain Name System, and it's how your computer understands how to find where is. DNS translates that address into the IP address where it should actually go, and viola, you can Google for something. To get the exact IP address of a site, though, your computer has to contact a DNS server.

That's how it's supposed to work. One can imagine, however, that if the DNS servers went rogue, you could end up anywhere.

And that's how DNSChanger does its deeds. DNSChanger is malware that changes an infected computer's DNS settings so that they to point to rogue DNS servers, which send you to websites and ads that appear to be real, but actually aren't. In doing so, the malware writers could steal personal information from users as well as generate bogus ad revenue.

DNSChanger was discovered in 2007; it wasn't until November of 2011 that six Estonian criminals were caught. During that time, the malware generated about $14 million in illegal funds for them.

While the criminals were caught, that's not the end of the issues. Hundreds of thousands of infected computers were pointing to fake DNS servers. Prior to the arrests, the FBI and the German Federal Office for Information Security created a workaround, redirecting those being illegally redirected to the proper DNS servers.

While that protected those infected by DNSChanger from harm, the real fix would be if those systems were disinfected. After the arrests, the U.S. and German governments agreed to keep the rogue DNS servers running until March of this year. However, they learned that there were still about 450,000 active DNSChanger infected systems, and so the servers got an extension until Monday, July 9.

They can't keep these servers running forever, so if your system is infected, you need to fix it before Monday, or your Internet will go kaput on Monday, as those DNS servers will be offline.

So what do you do to find out if you have a DNSChanger infection? If you are running up-to-date security software, you are most likely safe. But to be sure, all you need to do is head over to or, if you are outside the U.S., its parent site, the DNSChanger Working Group.

It's simple: click on the link appropriate to your country, and if you're clean, you'll see an image with a green background (shown). If you're infected, you'll see an image with a red background.

If you're infected, the fun begins. The DCWG has a list of free tools to download and instructions on how to clean a computer infected with DNSChanger. However, if you can't access the Internet, you can't download the tools. Once again, you need to do this before Monday.

As we said, if you have a current security suite installed, you probably are safe. In any case, you should always have security software installed, and as we saw with Flashback, that includes Mac OS X, as well.

Proactive protection is far easier than having to deal with removal.

No comments: