This coming March 8, 2012 the Internet could stop working for millions of users because of a virus, DNS Changer, which has corrupted millions of computers in more than 100 countries.
Though the US Federal Bureau of Investigation (FBI) has shut down the rogue DNSChanger network and put up surrogate servers following a US court order, it has the mandate to run the temporary network only till March 8. Unless the FBI obtains a fresh order, the network will be turned off, resulting in millions of computers worldwide no longer having Internet access.
“Millions of people around the world may lose access to the Internet this week. Why Rogue DNS Servers ! 220.127.116.11 through 18.104.22.168 ! 22.214.171.124 through 126.96.36.199 ! 188.8.131.52 through 184.108.40.206 ! 220.127.116.11 through 18.104.22.168 ! 22.214.171.124 through 126.96.36.199 ! 188.8.131.52 through 184.108.40.206”
In November 2011, six Estonian nationals were arrest ed for running a sophisticated Internet fraud ring that infected millions of computers worldwide with the DNS Changer which enabled them manipulate the multibillion dollar Internet advertising industry. This virus also made computers vulnerable to a host of other viruses. The criminals are said to have siphoned off $14 million, but the amount could be much larger because banks are typically reluctant to reveal how much they have lost. The two-year FBI investigation was code-named Operation Ghost Click.
What is DNS?
DNS stands for Domain Name System. It is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. DNS and DNS Servers are a critical component of your computer’s operating environment.
Without them, you would not be able to access websites, send e-mails or use any other Internet service.
When you enter a domain name, such as http://www.abc.com, in your web browser’s address bar, your computer contacts DNS servers to determine the site’s IP address.
Your computer then uses this IP address to connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.
What is DNSChanger?
A small file about 1.5 kilobytes, DNSChanger is a Trojan that changes the infected system’s DNS settings, in order to divert traffic to unsolicited and potentially illegal sites.
This Trojan is designed to change the “NameServer” Registry key value to a custom IP address, which is usually encrypted in the body of the Trojan. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or interfere with that user’s online web browsing.
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways
First, it changes the computer’s DNS server settings to replace the ISP’s good DNS settings with rogue DNS IP addresses operated by the criminal.
Second, it attempts to access devices on the victim’s office or home network that run a dynamic host configuration protocol (DHCP) server (for example, a router). The malware attempts to access your router using common default user names and passwords. This is usually “admin” and “admin” respectively. It converts the genuine DNS settings these devices use to rogue DNS settings operated by the criminals. This is a change that impacts all computers on the corporate network, even if individual computers are not infected.
One consequence of the FBI disabling the rogue DNS network is that victims who unknowingly access the Internet through rogue servers could lose access to the Internet altogether. So the FBI got a court order allowing them to replace the rogue servers with legitimate stand-ins.
The FBI was told to educate the public and Internet Service Providers about the DNSChanger malware.
If your ISP’s DNS server is infected, you, too, will be affected. How do you know if your computer is infected? It is best to have it evaluated by a professional. You can also check it yourself in Windows 7 by going to the Start menu, typing Run and then cmd. At the command prompt, enter: ipconfig /all. Look for the entry that reads “DNS Servers……….”
The DNS number in the format of bers are in the format of nnn.nnn.nnn.nnn, where nnn is a number from 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the table of known rogue DNS servers (see box).
If you are using a Mac, click on the Apple symbol in the top left corner and choose System Preferences, then Network and click on the Advanced button. Choose the DNS tab on top to show the DNS servers you are using.
There is a special website to check if your ISP’s DNS requests are made to the right places: http://www.dnsok.de. This site will tell you if you are affected by the DNS Changer malware or not.
What will happen after March 8? According to the FBI, it will shut down the surrogate DNS servers over a period of four months, affecting millions of users who are still using rogue DNS addresses. If your PC is infected by rouge DNS, you can us Avira DNSRepair tool
Mac users just make sure you are using the correct DNS. And check your computer thoroughly for other malware.