Friday, July 6, 2012

DNSChanger malware - July 9th 2012 - Internet shut down?

There have been some questions lately regarding Monday, July 9th, 2012 being the last day for the internet.  What’s going on?  Have the crooks crippled us?

Well, yes and no...  Yes there are always risks going on with the internet.
No, the good guys, such as the FBI, are always catching the bad guys.

So here’s what’s happening....

Back in 2007, six Estonian nationals decided to use a type of malware known as DNSChanger to infect about 4 million computers in 100 countries.  About 500,000 computers were infected in the United States, including individuals, businesses, government agencies, and even NASA.   So undoubtedly, this drew the attention of the FBI.  It was discovered that these cyber-criminals were able to manipulate web traffic from the infected computers to redirect to their evil network.  The result was in the cyber-criminals profiting at least $14 million in illicit fees.  In addition, the malware also prevented users’ computers from updating, thereby exposing the infected machines to even more malicious software.  

The DNSChanger malware would change settings on the infected computer.  So what is DNS if it can be changed?  

DNS stands for Domain Name Service.  Every domain, such as PCKen.com, has both the name that you just read, and an IP address.  For PCKen.com, the IP address is 69.64.156.60.  The domain name is for you to easily remember to visit PCKen’s website.  The IP address is so that the computers all over this planet can have a number to call.  Computers don’t really understand our language.  They require numbers to dial to be able to display the webpage you want.

So, when you type PCKen.com into your web browser, your computer uses a service called DNS to find out the number (69.64.156.60) to browse to.  If your computer has never been to that website before or its been a long time since the last visit, then it has to look to a DNS server to get updated information on what number is assigned to that domain.  For normal home users, that DNS server is operated by the Internet Service Provider.  For most business users, the DNS server is operated by the business IT department.

So here is happened with the Estonian cyber criminals.  They were able to get the DNSChanger malware on to unsuspecting users’ computers (probably through spam or infected websites).  The DNSChanger malware changed settings on the computer, overriding DNS settings and changing them to point to the evil DNS servers owned by the cyber criminals.

Then, when typed in PCKen.com to the browser, instead of your computer being sent to 69.64.156.60 and seeing my site, you would be directed to another site that would tell you that your computer was infected and demand that you pay money to clean it up.

The problem is, lots of people pulled their credit cards out of their wallets.... that’s how $14 million dollars goes into the hands of these crooks.

When the FBI tracked down the source of the drama, they partnered with Estonian officials, and were able to arrest the leaders of this cyber criminal ring in 2011.  And, with court order, they were able to take over the evil DNS servers, replaced them with clean servers.

The problem is, the FBI is still seeing a lot of web traffic being processed through the clean servers.  And it is important to note that the clean servers are not able to actually clean an infected computer.  They can only point domain names to IP addresses.  That’s all the DNS servers do.  But since the FBI is still seeing that web traffic, that means there are a lot of computers and/or routers with have been infected by the DNSChanger malware.

And, on July 9th, 2012, the court order expires.  And the FBI turns off the clean DNS servers.

If your computer or router is pointing to a DNS server that is turned off, you will be unable to browse the internet.  Without a DNS server, the website at PCKen.com will give you “Internet Explorer cannot display the webpage” message. That is what all the hype is about for July 9, 2012.

So, how do you know if you are infected with the DNSChanger virus?  http://www.dns-ok.us/

If you go to that website and get a red background, give me a call.



You can also check out this video by my friends at Sophos...


http://www.youtube.com/embed/Gl7d6cDFDHo

No comments:

Post a Comment