Government

Preparing for the DNSChanger Internet outage

Alfonso Barreiro tells all you need to know to clean up the DNSChanger malware that has affected millions of users. Make sure your organization is prepared for the July 9, 2012 deadline that the FBI has set to shut down temporary "clean" servers.

If one were to believe some headlines, there's an Internet apocalypse coming on July 9, 2012, when hundreds of thousands of computers will be unable to access the Internet because of actions by the FBI. But before anyone panics, let's cut through the hype and take a look at what happened and how you can prepare your organization and users before the deadline approaches.

So, what is going on?

Last November, the FBI announced the successful shutdown of a major click-jacking fraud ring in a joint investigation with Estonian authorities and other organizations, including anti-malware company Trend Micro. Seven individuals, including six Estonians and one Russian, were charged with wire fraud and computer intrusion crimes. The investigation, dubbed, "Operation Ghost Click", included the takedown of a botnet comprising nearly 4 million infected computers. Authorities raided datacenters located in New York and Chicago, removing nearly 100 servers. The computers that were members of that botnet were infected with the malware known as DNS Changer that has been in circulation since 2007.

The DNS Changer malware family silently replaces the Domain Name System (DNS) settings of the computers that it infects (both Windows PCs and Macs) with the addresses of the malicious servers and routers (yes, small office/home office routers that were still using their default admin usernames and passwords). Affected users then would be directed to sites that served malware, spam or large advertisements when they tried to go to popular websites such as Amazon, iTunes and Netflix. Additionally, some variants of the malware blocked access to anti-malware and operating system update sites to prevent its removal. The operators of this botnet would receive advertising revenues when the pages were displayed or clicked on, generating them over $14 million in fees.

Due to the potential impact the removal of these DNS servers would have on millions of users, the FBI had the malicious servers replaced with machines operated by the Internet Systems Consortium, a public benefit non-profit organization, to give affected users time to clean their machines. Originally these temporary servers were to be shut down in March, but the FBI obtained a court order authorizing an extension because of the large number of computers still affected. The new deadline is July 9, giving more time to those still infected to fix their computers. As of March, the infected still included 94 of all Fortune 500 companies and three out of 55 major government entities, according to IID (Internet Identity), a provider of technology and services.

How do I check if I'm infected?

If you are a network admin or IT pro, and you are pretty confident your organization is in the clear, you still may want to share these instructions with your users so that they are aware that their home systems could be infected and so that they can perform the self-checks.

Both the FBI and the DNS Changer Working Group have provided detailed step-by-step instructions for manually checking Windows XP, Windows 7 and Mac OS X computers for infection. Essentially, if your DNS servers listed include one or more of the addresses in the following list, your computer might have been infected:

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

If your computer checks out okay, you should also check your SOHO router settings. Consult your product documentation on how to access your router settings and compare its DNS servers to those on the list above. If your router is affected, a computer on your network is likely infected with the malware.

There are also several self check tools that can help check your machine. One such tool is provided by the DNS Changer Working Group at http://www.dns-ok.us/. This site will display an image with a red background if the machine or router is infected. On a clean machine, it will be a green background:

Figure A

There are several localized versions of this tool, maintened by different security organizations, each with instructions on how to clean up the infection (a complete list can be found here):

Site Language Maintainer Organization(s)
www.dns-ok.us English DNS Changer Working Group (DCWG)
www.dns-ok.de German Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.dns-ok.ca English/French Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)
dns-ok.gov.au English CERT Australia
dns-changer.eu German, Spanish, English ECO (Association of the German Internet Industry)

The FBI also provides a form where you can enter the IP address of the DNS server configured on the machine:

Figure B

Depending on your organizations' network configuration, you could set up alerts when machines from your internal network attempt to reach any of the listed addresses or you can block them outright. Be careful if you opt to block them though, as any infected machine will essentially lose its Internet connectivity since they won't be able to resolve any Internet server name they attempt to reach. Of course, this will also be a big clue that something is wrong, if the support phone lines fire up on July 9 with users reporting mysterious Internet outages!

I found an infection! How do I fix it?

As with detection, there are also a number of tools available to fix an infection. Since the DNS Changer was delivered through different mechanisms over the years, some infections may be more difficult to remove than others. In some extreme cases, only a full reinstall of the operating system will ensure a successful repair. Some removal tools available include:

This is by no means a complete list; most anti-malware companies should be able to detect this particular threat. But be aware that your mileage may vary. DNS Changer was also part of some web exploitation kits and other types of malware (backdoors, keyloggers, etc.) might have hitched a ride and complicated the removal process. If you have an affected router, you should also change its default admin password to something else (and don't use an easily guessable password - it will be only a matter of time before someone else tries a similar attack).

What if my machine remains infected after the deadline?

Machines that remain infected or are served by an affected router after the temporary servers are removed will, for all intents and purposes, lose their Internet connectivity. How to fix it will remain the same, but with the added wrinkle that you will probably need a second, clean machine with Internet access for diagnostics and to obtain removal tools.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

14 comments
Cofins4Terorists
Cofins4Terorists

I am so totally confused. Today I received on my home computer an article supposedly from NBCnews. Was about this same thing. Well due to so many links, all different BTW through out the article I tried contacting NBC to see if was really from them, no response. Then searched all over Facebook for a way to contact them with same question. Found that Facebook live page, asked the question and was ignored! Then I went to the FBI home page and searched that entire site for any information, found nothing. Called my local office got an answer. According to the agent I spoke with is ALL bogus, the article was NOT from NBC and click no links in it or any thing that refers to this problem. Since I just found this site here due to a friend sending to me too late to call that agent and VERIFY who YOU are I'll not be clicking ANY links here.

dayen
dayen

It's who infected that counts from what I read if it was just Joe citizen or a small business instead of 94 of the Fortune 500 companies the plug would have been pulled an no one would have even said boo, and 3 goverment entities wounder who they are ?

jjprehn
jjprehn

4 million Computers world wide (estimated) infected. 300, 000 in the US (estimated) out of an estimated 90 million computers in household use. That is less then .34 percent. And the only consequence is that when the FBI turns off their servers, this .3 percent will suddenly not be able to access the internet. Thank goodness for this article, because if my grandma calls me on or after July 9 to say she can't get on the internet, I will be able to tell her one thing that the geek squad should look for.

gorman.mi
gorman.mi

Yeah, the world is full of danger and we are here to protect you poor lambs-by the way we will have to remove your freedoms on the Internet to ensure you are not infected by the Rusky bogey men. I don't trust the bastards.

Skruis
Skruis

if the FBI went through the hassle of setting up servers to provide DNS service at those IP's to allow infected users to continue to browse, you would think they'd also take the step of recording which client IP's are using the DNS services at these locations and contact the owners of the IP's to alert them to the issue. Now, I don't mean that they should subpeona Comcast for the identity of a user but they could easily provide the list of Comcast owned IP's to Comcast and say "these user's are infected" and in turn Comcast could notify the user's on the FBI's behalf without divulging the identities of the users to the FBI. Most major ISP's should have some mechanism in place to contact user's they suspect may be infected...at the very least, it might save on some of their bandwidth costs if the viruses are removed (in general, not in relation to this specific virus).

Kenton.R
Kenton.R

The "94 of all Fortune 500 companies" line makes it sound like nearly one out of five Fortune 500 companies would be crippled if the DNS servers were turned off today. In reality, that statistic just shows those companies have had at least one computer (out of the untold thousands they manage) reach out from a public IP they own and query the malware DNS servers prior to Feb 23rd (not March). This trickle of infected machines are likely old, un-managed workstations, laptops that have been rotting away in a closet until somebody tested to see if they still work, and similar forgotten odds and ends. There is no way that a major company would suddenly go offline, but that is the result implied by this article. Plus, this is just DNS - the infected computer isn't going to completely drop off the internet. If necessary, a company could write a rule at their firewall and route any DNS-Changer traffic to the IP of a legit DNS server. The FBI article mentions that only about 500,000 computers in the U.S. were infected, but only the 4 million figure for world-wide infections is used for this article. Again, slightly misleading as FBI crime statistics are usually implied to be U.S.-centric. The way the FBI article is worded, it is difficult to determine if they are saying 500k is the PEAK stateside infection count at the height of the outbreak, or a RUNNING count of infected machines over the entire lifetime of the malware. Either way, it is definitely not the CURRENT number of infected machines. But I'll run with that number as a "worst-case" possibility for a second. 500,000 infected computers in the U.S., out of an estimated 245,000,000 U.S.-based internet users. So - at absolute maximum - there could be 1 in 500 people affected. Those 1 in 500 have been running without antivirus since being hit with DNS-Changer and are probably infected with several other pieces of malware by now. They need to be taken offline as a public service - to protect them from themselves and keep them from possibly being used to infect others. These bottom 0.2% of internet users likely need to take their computers in for repair anyway to get rid of the 12 IE toolbars they have installed and the multiple versions of fake AV. This will just force them to do so before rejoining the rest of society. July can't come soon enough. ...or I could just be jaded and grumpy today because everyone from my mom to several non-techie co-workers has contacted me and been worried to death about this in the past two weeks. It seems some people still read the local newspaper. The Courier-Journal article that freaked them all out was from April 21st with the friendly headline "HUNDREDS OF THOUSANDS MAY LOSE INTERNET IN JULY." I don't know how they could have possibly gotten scared from a headline like that. /sarcasm.

pgit
pgit

Good info, I'll pass this article around. I've had a lot of customers ask me about this one, for some reason the public seems well informed about this particular exploit. Good publicity I suppose

pgit
pgit

If you hover the mouse over the links the URL should be revealed, eg in thunderbird down on the bottom toolbar. 9 times out of 10 the links are obviously bogus, like no mention of "nbc" and the location is .ru, .cn or some obscure country. It might be harder for people who don't use English as the primary language to tell, but usually the writing in the body of the email contains obvious flaws in syntax, spelling, word use and structure. Giveaways include "they're-their-there" and other synonyms. Referring to a subject by sex (her, him, his etc) is not common in business writing, but many foreign languages require the assignment of gender, so seeing such in an email is indication it's suspect. There's also tense, which is one of the harder things to master for foreigners not fluent in English. Tense must be preserved, so look for inconsistencies in time or position related wording, eg is-was, are-were and the like. And is-are can be confused, "He is" is appropriate, "He are" is not. Conversely it's "We are," not "we is." This is usually separated by adjectives, pronouns and other modifiers, making the selection of the appropriate wording harder for non-English speakers. For example "Ted, who has been inducted into the fraternity of top marketers, is going to be the keynote speaker." The operative is "Ted...is." But some might see the "top marketers," and place "are" where "is" should be. If the subject were not Ted but "top marketers," then "are" would be appropriate. Someone reading an email in English who is not primarily an English speaker might not catch some of the above errors, and unfortunately many people who ONLY speak English don't know the rules of their own language. But a careful read of something that seems suspect should have at least one obvious syntactical error. Lastly, if you are suspicious in the first place, just go with it and delete the mail without clicking any links. What can it hurt to just skip it altogether? Better safe than sorry, I tell my clients. This even applies to mail forwarded from someone you know. I make sure my clients understand that a compromised machine is likely to be sending out as much infected mail as it can, so odd mail from a known contact may be bad news.

pgit
pgit

all the alleged mayhem seems to originate with the alphabet-soup people, classic example this latest tighty-whitey bomb. My wife 'corrected' the news report we heard on the radio yesterday, she said "...the bomb is now BACK in CIA hands..." Hopefully a critical mass of people will wake up to the concept of false flag, and realize Orwell wasn't writing fiction.

Kenton.R
Kenton.R

They could change the FBI DNS servers to work like the captive portals we've all seen at hotels: no matter what DNS name you enter, you get directed to a page that basically says "You're infected. Heal thyself." Or perhaps a selective redirect - everything goes to the "you're infected" page except traffic to sites that provide a fix, like Trend Micro, Kaspersky, Avira, etc. Then they can throw links to those sites on the "you're infected" page, give users a month to stare at it and try to figure out what to do, and finally pull the plug on those that are still infected. I'm sure there are probably legal reasons why the government is hesitant to be seen redirecting people's traffic, even for the good of the end user... but my argument would be they are technically doing that already by providing the temporary DNS service. That line has already been crossed.

Kenton.R
Kenton.R

Where are all the press releases from the 90+ Fortune 500 companies with their systems crippled since Monday? Which "government entities" went offline? No interviews with the "hundreds of thousands" without internet access? No reports from ISP helpdesks swamped by calls from infected customers? Not even an attempt to spin this non-event as "media coverage raised awareness and averted disaster?" Nothing? Looks like this hype train derailed. (Note: I'm not trying to pick on Alphonso - he clearly stated scepticism of the "Internet apocalypse" in his first paragraph. I'm just irritated by media hype surrounding DNSChanger in general.)

pgit
pgit

I don't read the paper, they must have had the same story, because it seems like everyone knows about the DNS changer. Makes me wonder why the mainstream is sensationalizing this story. Maybe to make people aware of DNS, so they'll understand the official explanation when a man in a cave with a laptop takes out the whole internet one of these days.

Skruis
Skruis

If the page included the details of why the page was being served from FBI provided equipment, I would think most user's would actually be appreciative...and in turn, much more eager to correct the situation than to let their precious dns requests flow to a server operated by a government organization famous for spying on it's own citizens and then prosecuting them. The details of the page could explain that though the traffic is on a government provided system, it is not being logged in any sort of way as to identify and eventually pursue the users of the system. That would give the FBI the "moral insentive" to advertise their actions and the concerned citizen the opportunity to sue if they felt their misguided traffic was logged and used inappropriately by the FBI.

khiatt
khiatt

If one of my users called me over to show me "This FBI page just came up..." I would assume the page was bogus and that they had just been infected. The end result is the same though, I'd clean the machine and tell them to stop straying from work related usage :)