How the DNSChanger malware works

Monday, 9 July, was supposed to be 'Internet Doomsday' when the US' Federal Bureau of Investigation (FBI) was to shut down servers associated with the DNSChanger malware. As a result, computers infected with this threat were to be cut off from the Internet.

According to an IDG report, the FBI estimated that only 41,800 computers remained infected by DNSChanger as of Sunday night, and some Internet service providers have been offering their own solutions to keep customers online.

So far, the cutoff day has been free of catastrophes, reports the IDG. We asked Eugene Teo, manager, security response, at Symantec, about this malware and how it was going to affect computers in Asia.

FBI will shut down servers associated with the DNSChanger malware. Will this affect servers and computers in the Asia Pacific region?

Yes it will. According to DNSChanger Working Group (DCWG), globally there are at least 210,851 unique Internet protocol (IP) addresses as of 8 July 2012, of which 619 are from Singapore, still being redirected to the rogue DNS servers now being controlled by the FBI. Our research has found the DNSChanger malware to affect computer systems operating on Windows and Mac only. It is also worth noting that the volume of "unique IPs talking to the clean DNS servers" under counts the total number of infections while the estimates built around unique browser IDs demonstrate a higher total infection count.

While it seems as if FBI has rectified the issue, shutting down the temporary server is only a temporary measure. Once that happens, computers that are still compromised will lose connectivity to the Internet in its entirety. In other words, infected PCs and servers will no longer be able to connect to any websites.

How serious is this threat? Why does FBI want to take this extreme step? And does FBI, a US federal government agency, have the authority to do it at a global level?

While we're unable to determine FBI's motivation, the fact that there are globally at least 210,851 unique IP addresses still being redirected to the rogue DNS servers indicates that many users have a chance of experiencing complete Internet outage if they remain unaware of this infection.

Can you tell us a little about the DNSChanger malware? What about its origins and what does it do?

DNSChanger is a malware that changes the Domain Name System (DNS) settings on the compromised computer. Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name "Rove Digital" and used the malware to manipulate users' Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users' anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet's command-and-control (C&C) servers as part of Operation Ghost Click and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer's network configuration.

This figure shows how DNS works.

With the ability to change a computer's DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP's legitimate DNS server's address to the rogue DNS server's address, in this case, advertisement websites.

This figure shows how the DNSChanger malware works.

What can individuals or companies do to avoid facing an Internet blackout?

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Users can go to the DNS Changer Check-Up page, maintained by the DCWG, to determine whether their computer is compromised or not. There are other pages in various languages maintained by other organisations listed on the DCWG's Detect page. Various organisations are proactively informing users that their computers are compromised by DNSChanger. The FBI has also put together instructions on how to determine manually if a computer has been compromised or not.

If users suspect that their system may have been compromised, they can use Norton Power Eraser, a free tool from Symantec to further analyse and remove any malware on their PCs.

Symantec customers can also refer to the following instructions (for the full details please visit here), applicable to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines:

i. Disable System Restore.

ii. Update the virus definitions.

iii. Run a full system scan.

iv. Delete any values added to the registry.

v. Delete the entries added to the RAS phonebook file.

In addition, for home users, Symantec offers a free public DNS service called Norton ConnectSafe that combines a reliable Web browsing experience with basic security features integrated. Users can activate Norton ConnectSafe by setting their DNS server addresses to the Norton DNS servers. For the full details, please visit here.

Eugene Teo is manager, security response, at Symantec.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zafar Anjum

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts