The Australian Communications and Media Authority (ACMA) warned Windows and Mac DNSChanger Trojan victims to remove the malware now or risk being cut off from the internet on 9 July 2012.
In a statement issued Thursday the ACMA said there are approximately 10,000 Australian internet users currently infected with this malware.
“DNSChanger infections currently constitute around half the infections reported through the AISI (Australian Internet Security Initiative). The ACMA started reporting DNSChanger data to AISI participants as soon as it was made available to us in November 2011,” ACMA’s e-security operations manager Bruce Matthews told CSO Australia.
Mathews said that in 2011-12 the average number of malware reports per day through to the end of February 2012 was 14,027 under the AISI, which works with dozens of Australia’s ISP under the voluntary iCode infection notification system.
The inclusion of DNSChanger infections, which AISI began collecting data on in November 2011, was apparently behind a huge surge in “bot infections” numbers through 2011 and 2012.
DNSChanger was one of the largest botnets in the world, estimated to have infected four million Windows and OS X computers in a massive click-fraud and fake antivirus scheme, disrupted in late 2011 under the FBI’s “Operation GhostClick”.
The malware directed infected machines to “rogue” DNS (domain name server) resolvers after manipulating a computer’s DNS settings.
Users of infected machines who might try to reach ACMA by typing acma.gov.au into their browser would be led to a different IP address, such as a fraudulent website that either led to more malware, fake antivirus or phishing sites.
GFI Software (Sunbelt) shows how the malware impacts Windows on this You Tube video.
The cut-off date for Australians is in line with the expiration of a US court order the FBI obtained this February that extended the Internet Systems Consortium’s (ICS) authority to maintain “temporary clean DNS servers”, designed to buy time for victims to remove the Trojan. The original order was 120 days.
Australian ISPs will not be responsible for customers that experience connection problems after this date, ACMA’s Mathews said.
“The ACMA, CERT Australia and DBCDE are coordinating an effort to encourage Australian internet users infected by DNSChanger to remove this malware from their computing devices before 9 July 2012,” he said.
“As far as I know, no Australian ISPs have adopted ‘temporary solutions’ (for ISC’s cut-off date). On 9 July 2012 the ISC will turn off the temporary DNS servers that currently enable computing devices infected with DNSChanger to connect to the internet.”
The internet industry and governments across the globe have struggled to kill the botnet, despite efforts to notify consumer and enterprise victims.
US security firm Internet Identity in February reported that half of all US Fortune 500 firms and 27 out of 55 major government agencies were still infected with the Trojan, security blogger Brian Krebs reported at the time.
In early November 2011 -- when Estonian police arrested the six suspects behind a company Rove Media, which controlled the “Esthost” botnet, spread by DNSChanger -- “victims observed per day” numbered over 800,000 worldwide.
By January 2012 the number still sat at just below 500,000 (see graph), according to the The DNS Changer Working Group (DCWG).
The Australian government has established the website dns-ok.gov.au for potential victims to check if their computers are infected and follow removal advice.
“If you are infected, dns-ok.gov.au provides links to tools and detailed documentation that may help you remove the infection,” ACMA said in its statement.
The DCWG provides a range of IP addresses that would indicate whether a computer’s DNS Settings have been altered by the Trojan. It also provides detection and clean up instructions for Windows XP, Windows 7, Mac OSX systems, and widely-used home routers from D-Link, Linksys and Netgear amongst others.
Consumerisation is inevitable.. So how secure is your data?
Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.