By Woody Leonhard on May 2, 2012 in Top Story
DNSChanger virus spells ‘Internet Doomsday’ … The end is nigh, according to the FBI … ‘Internet doomsday’ will strike us all on July 9 …
That’s what a couple of popular websites had to say about the DNSChanger virus. What a crock!
I’ve been writing about viruses for about two decades, and I don’t think I’ve ever seen headlines that ridiculous from sources that should know better.
DNSChanger is a real piece of malware — it’s a variant of the TDSS/Alureon family of Trojans — and it was a real problem until taken down Nov. 8, 2011, in a joint FBI–Estonian police action code-named “Operation Ghost Click” (FBI site).
Since then, it seems, DNSChanger has hit headline after headline — with dire warnings. Even local TV news programs have covered it in breathless terms, as if it were the worst thing to ever infect your computer.
Lemme tell ya. It’s easy to write scary headlines such as “New Mac Trojan makes your clicking finger fall off!” (no doubt because Mac mice have only one button) or “Log on to Windows and lose your life savings!” It’s not so easy to examine the threat, digest it, translate it into terms we can all understand, and make a few simple recommendations.
That’s the goal for this column. Is it true that, as a Huffington Post U.K. headline put it, “The end is nigh, according to the FBI!”? I don’t think so.
Exactly what does DNSChanger do? With an estimated four million infected computers — 500,000 in the U.S. alone — DNSChanger was one of the largest botnets ever disassembled. However, despite what you may have read, this botnet wasn’t designed to steal your credit-card numbers or bank-account passwords. DNSChanger rerouted your browser to websites that mostly sold little blue pills, antivirus products that didn’t work, and other scummy stuff.
The people behind DNSChanger received commissions from these fake pharmaceutical companies, rogue antivirus sites, and other unsavory cyber characters. The FBI avers that these “commissions” amounted to more than $14 million.
Typically, DNSChanger infected systems by posing as a codec needed for viewing videos streamed from adult sites. When you clicked to view these bogus videos, Windows Media Player would complain that it didn’t have the right codec. Users then downloaded the codec from the site, gave permission to install the codec, and — well, there you go.
(Given the amount of unauthorized Web surfing on business PCs, it should not be surprising that half of the Fortune 500 companies and roughly half of all U.S. government agencies now have one or more PCs infected with DNSChanger.)
As befits a TDSS/Alureon variant, the infection is a nasty one — full rootkit behavior that’s hard to detect and even harder to clean.
On Windows, the infection changes your computer’s DNS server, usually by hacking the Registry. (If you aren’t familiar with Domain Name Servers — the White Pages of the Internet — check out Susan Bradley’s April 5 Top Story.) With a subverted DNS server, you might type www.google.com into your browser — any browser — and end up at www.buyonlinepharmaceuticalsifyoudare.com. The bad guys set up several DNS servers that did exactly that.
Naturally, if you tried to go to common Web addresses that offer antivirus help, AV scans, patches, advice, or even news about DNSChanger, you were rerouted. Effectively, your browser belonged to DNSChanger.
DNSChanger meets its match on two continents As scary as that DNSChanger sounds, you no longer need fret over it — you no longer have to worry about DNSChanger changing your PC’s DNS server. The FBI and many other organizations — in the U.S. and in Estonia — took DNSChanger down. You might still get an Alureon infection, but it won’t be DNSChanger.
Although it took years, the FBI succeeded in identifying the people directly involved in the scam — six men in Estonia. The agencies also found the IP addresses of the DNSChanger servers: all were located within the U.S.
In a complex, well-coordinated action, Estonian police arrested most of the bad guys, who are now facing extradition to the U.S. To minimize Internet service disruptions to those four million infected PCs, the FBI and Internet Systems Consortium (the nonprofit company that maintains the ubiquitous DNS server software, Binds) pulled off an amazing technical feat: they quickly replaced the malicious servers with legitimate DNS servers. (Many PC users might still not know they’re infected. But at least they’re getting to their intended websites.)
Operation of the DNS server farm was given to a new organization called the DNSChanger Working Group, which consists of representatives from the computer industry and law enforcement. That left the FBI in the position of running a DNS server farm — and also left a nagging question.
The take-down aftermath, and what you can do For those four million PCs, what’s the smarter move: leave users unaware that they’re infected and maintain the servers indefinitely, or gradually shut down the servers and cut off small numbers of users at a time?
It’s a tough choice. There’s no right or wrong answer, from my point of view. The FBI and BINDS could perhaps try to intercept a handful of webpages and put up warnings on them. But that might scare the daylights out of a lot of people and leave them with the task of changing to another DNS server on their own.
The FBI and the DNSChanger Working Group originally had court permission to keep the server farm running until March 8. As the deadline approached, people fretted that shutting off the remaining infected machines (still millions of them, at that point) would cause a lot of panic. So they sought, and received, a court extension to July 9.
Will the DNSChanger Working Group look for another extension after July 9? I think it’s highly likely that they’ll ask for — and receive — an extention. Remember, though, somebody has to pay for running the temporary server farm.
So while we wait for an Internet Armageddon that will never come (at least not from DNSChanger), here’s something you can do (and have all your friends do, as well). Go to the DNSChanger Working Group Detect site and click the link at the bottom for your language or country. (Because you’re reading this in English, you’ll most likely click through to the main DCWG test page.) When you get to the DNS Changer Check-Up page, you’ll see a large graphic — if it’s green, you’re fine; if it’s red, you’re infected.
There are lots of DNSChanger-fixing programs out there. I’ve not run across any infected machines yet; but if I do, my first choice for cleaning them would be Windows Defender Offline, which I wrote about in my Jan. 5 Top Story.
Yep, this is one of the tests even your Aunt Martha needs to take.