ACMA: 10,000 malware infected Aussies to be cut-off from internet July 9

Remove DNSChanger now, or face disconnection.

The Australian Communications and Media Authority (ACMA) warned Windows and Mac DNSChanger Trojan victims to remove the malware now or risk being cut off from the internet on 9 July 2012.

In a statement issued Thursday the ACMA said there are approximately 10,000 Australian internet users currently infected with this malware.

“DNSChanger infections currently constitute around half the infections reported through the AISI (Australian Internet Security Initiative). The ACMA started reporting DNSChanger data to AISI participants as soon as it was made available to us in November 2011,” ACMA’s e-security operations manager Bruce Matthews told CSO Australia.

Mathews said that in 2011-12 the average number of malware reports per day through to the end of February 2012 was 14,027 under the AISI, which works with dozens of Australia’s ISP under the voluntary iCode infection notification system.

The inclusion of DNSChanger infections, which AISI began collecting data on in November 2011, was apparently behind a huge surge in “bot infections” numbers through 2011 and 2012.

DNSChanger was one of the largest botnets in the world, estimated to have infected four million Windows and OS X computers in a massive click-fraud and fake antivirus scheme, disrupted in late 2011 under the FBI’s “Operation GhostClick”.

The malware directed infected machines to “rogue” DNS (domain name server) resolvers after manipulating a computer’s DNS settings.

Users of infected machines who might try to reach ACMA by typing into their browser would be led to a different IP address, such as a fraudulent website that either led to more malware, fake antivirus or phishing sites.

GFI Software (Sunbelt) shows how the malware impacts Windows on this You Tube video.

The cut-off date for Australians is in line with the expiration of a US court order the FBI obtained this February that extended the Internet Systems Consortium’s (ICS) authority to maintain “temporary clean DNS servers”, designed to buy time for victims to remove the Trojan. The original order was 120 days.

Australian ISPs will not be responsible for customers that experience connection problems after this date, ACMA’s Mathews said.

“The ACMA, CERT Australia and DBCDE are coordinating an effort to encourage Australian internet users infected by DNSChanger to remove this malware from their computing devices before 9 July 2012,” he said.

“As far as I know, no Australian ISPs have adopted ‘temporary solutions’ (for ISC’s cut-off date). On 9 July 2012 the ISC will turn off the temporary DNS servers that currently enable computing devices infected with DNSChanger to connect to the internet.”

The internet industry and governments across the globe have struggled to kill the botnet, despite efforts to notify consumer and enterprise victims.

US security firm Internet Identity in February reported that half of all US Fortune 500 firms and 27 out of 55 major government agencies were still infected with the Trojan, security blogger Brian Krebs reported at the time.

In early November 2011 -- when Estonian police arrested the six suspects behind a company Rove Media, which controlled the “Esthost” botnet, spread by DNSChanger -- “victims observed per day” numbered over 800,000 worldwide.

By January 2012 the number still sat at just below 500,000 (see graph), according to the The DNS Changer Working Group (DCWG).

The Australian government has established the website for potential victims to check if their computers are infected and follow removal advice.

“If you are infected, provides links to tools and detailed documentation that may help you remove the infection,” ACMA said in its statement.

The DCWG provides a range of IP addresses that would indicate whether a computer’s DNS Settings have been altered by the Trojan. It also provides detection and clean up instructions for Windows XP, Windows 7, Mac OSX systems, and widely-used home routers from D-Link, Linksys and Netgear amongst others.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


Register Today. 

Consumerisation is inevitable.. So how secure is your data?

Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.

Join the CSO newsletter!

Error: Please check your email address.

More about CERT AustraliaD-Link AustraliaFBIGFI SoftwareLinksysNetgear AustraliaSunbelt

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts