DNSChanger poses a new threat to its victims

This is the date on which the FBI is planning to shut down its substitute servers; those servers it set up when it took down the DNSChanger botnet. An FBI report at the time outlined the issue: “One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS services. To address this, the FBI has worked with private sector technical experts to develop a plan for a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims.”

But there are now two problems. Firstly, despite the same FBI report giving details on how to detect DNSChanger infections, Internet Identity “found at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012.” Secondly, if the FBI does not extend the life of the substitute servers (for which it will need an extension to its existing court order), any remaining infected system will cease being able to correctly access the internet. In other words, any business that still has DNSChanger infections will overnight suffer severe commercial disruption.

“When the FBI shuts down these servers,” explains Kaspersky’s David Emm, “victims of this DNSChanger will be unable to access the web or send e-mail. So it’s important that anyone who has fallen victim to this malware removes it from their system before that happens.” The first step is to check whether you are infected. In a blog on the subject, Ipswitch offers a free trial of its WhatsUpGold product specifically to find out. “Flow Monitor will detect if any devices are still infected on your network.” But computers then need to be disinfected, quickly.

“However,” continues Emm, “I’d stress that this technique is not limited to just one piece of malware – it has been successfully used by a variety of different Trojans for some years. So businesses and individuals alike should ensure that their Internet security software is up-to-date and scan their systems regularly.”

Graham Cluley of Sophos points to the wider problem. “It may prove disruptive for those users with infected computers when they can't access the net properly anymore, but their computers *are* infected with a malicious rootkit. These computers are not just infected with DNSChanger, they are also disabled from receiving Microsoft security updates - that means there could be all kinds of other nastiness lingering on those PCs *and* (crucially) being spread to other innocent internet users.

“Action has to be taken,” he adds, “and if this is the only way to wake the affected users into sorting out the problem, so be it.”

What’s Hot on Infosecurity Magazine?