If one were to believe some headlines, there’s an Internet apocalypse coming on July 9, 2012, when hundreds of thousands of computers will be unable to access the Internet because of actions by the FBI. But before anyone panics, let’s cut through the hype and take a look at what happened and how you can prepare your organization and users before the deadline approaches.
So, what is going on?
Last November, the FBI announced the successful shutdown of a major click-jacking fraud ring in a joint investigation with Estonian authorities and other organizations, including anti-malware company Trend Micro. Seven individuals, including six Estonians and one Russian, were charged with wire fraud and computer intrusion crimes. The investigation, dubbed, “Operation Ghost Click“, included the takedown of a botnet comprising nearly 4 million infected computers. Authorities raided datacenters located in New York and Chicago, removing nearly 100 servers. The computers that were members of that botnet were infected with the malware known as DNS Changer that has been in circulation since 2007.
The DNS Changer malware family silently replaces the Domain Name System (DNS) settings of the computers that it infects (both Windows PCs and Macs) with the addresses of the malicious servers and routers (yes, small office/home office routers that were still using their default admin usernames and passwords). Affected users then would be directed to sites that served malware, spam or large advertisements when they tried to go to popular websites such as Amazon, iTunes and Netflix. Additionally, some variants of the malware blocked access to anti-malware and operating system update sites to prevent its removal. The operators of this botnet would receive advertising revenues when the pages were displayed or clicked on, generating them over $14 million in fees.
Due to the potential impact the removal of these DNS servers would have on millions of users, the FBI had the malicious servers replaced with machines operated by the Internet Systems Consortium, a public benefit non-profit organization, to give affected users time to clean their machines. Originally these temporary servers were to be shut down in March, but the FBI obtained a court order authorizing an extension because of the large number of computers still affected. The new deadline is July 9, giving more time to those still infected to fix their computers. As of March, the infected still included 94 of all Fortune 500 companies and three out of 55 major government entities, according to IID (Internet Identity), a provider of technology and services.
How do I check if I’m infected?
If you are a network admin or IT pro, and you are pretty confident your organization is in the clear, you still may want to share these instructions with your users so that they are aware that their home systems could be infected and so that they can perform the self-checks.
Both the FBI and the DNS Changer Working Group have provided detailed step-by-step instructions for manually checking Windows XP, Windows 7 and Mac OS X computers for infection. Essentially, if your DNS servers listed include one or more of the addresses in the following list, your computer might have been infected:
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
If your computer checks out okay, you should also check your SOHO router settings. Consult your product documentation on how to access your router settings and compare its DNS servers to those on the list above. If your router is affected, a computer on your network is likely infected with the malware.
There are also several self check tools that can help check your machine. One such tool is provided by the DNS Changer Working Group at http://www.dns-ok.us/. This site will display an image with a red background if the machine or router is infected. On a clean machine, it will be a green background:
There are several localized versions of this tool, maintened by different security organizations, each with instructions on how to clean up the infection (a complete list can be found here):
|www.dns-ok.us||English||DNS Changer Working Group (DCWG)|
|www.dns-ok.de||German||Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)|
|www.dns-ok.ca||English/French||Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)|
|dns-changer.eu||German, Spanish, English||ECO (Association of the German Internet Industry)|
The FBI also provides a form where you can enter the IP address of the DNS server configured on the machine:
Depending on your organizations’ network configuration, you could set up alerts when machines from your internal network attempt to reach any of the listed addresses or you can block them outright. Be careful if you opt to block them though, as any infected machine will essentially lose its Internet connectivity since they won’t be able to resolve any Internet server name they attempt to reach. Of course, this will also be a big clue that something is wrong, if the support phone lines fire up on July 9 with users reporting mysterious Internet outages!
I found an infection! How do I fix it?
As with detection, there are also a number of tools available to fix an infection. Since the DNS Changer was delivered through different mechanisms over the years, some infections may be more difficult to remove than others. In some extreme cases, only a full reinstall of the operating system will ensure a successful repair. Some removal tools available include:
- Kaspersky Labs TDSSKiller
- McAfee Stinger
- Microsoft Safety Scanner
- Trend Micro Housecall
- Avira DNS Repair Tool
This is by no means a complete list; most anti-malware companies should be able to detect this particular threat. But be aware that your mileage may vary. DNS Changer was also part of some web exploitation kits and other types of malware (backdoors, keyloggers, etc.) might have hitched a ride and complicated the removal process. If you have an affected router, you should also change its default admin password to something else (and don’t use an easily guessable password - it will be only a matter of time before someone else tries a similar attack).
What if my machine remains infected after the deadline?
Machines that remain infected or are served by an affected router after the temporary servers are removed will, for all intents and purposes, lose their Internet connectivity. How to fix it will remain the same, but with the added wrinkle that you will probably need a second, clean machine with Internet access for diagnostics and to obtain removal tools.