The Australian Communications and Media Authority, CERT Australia and the Australian Government's Stay Smart Online initiative have teamed up to allow users to check if they are affected by the DNSChanger malware in an attempt to avoid around 10,000 Australians waking up on 9 July and thinking their internet connections have been broken.
On 9 July, the FBI will take down the Domain Name System (DNS) servers it has commandeered through the Internet Systems Consortium. These servers were used by the DNSChanger malware to conduct its fraudulent activities. When the servers are taken down, anyone that is infected with DNSChanger will be unable to use DNS to browse the internet.
Although infected users' will still be able to use any online services that are referenced directly by IP address (as this bypasses the need for DNS), the majority of infected users will find they will be unable to browse the web and their internet connection will appear to have been lost.
For example, DNS servers allow users to navigate to Google Search Australia by typing or clicking on a link to www.google.com.au in their browsers. However, if the user's computer has been infected with DNSChanger, after 9 July, that user would only be able reference Google directly using one of its less-memorable IP addresses, such as 22.214.171.124.
The DNS server providing this look-up service has to be trusted by the user to provide the correct IP addresses. The DNSChanger malware surreptitiously pointed users to a series of DNS servers controlled by the malware authors. These would cause the users to load content of the authors' choosing, such as more malware or advertising that would drive revenue to the criminals. The malware also attempted to change settings in network equipment, such as ADSL modems/routers, so that an entire network could be compromised.
The new website created by the government, www.dns-ok.gov.au, provides users with an easy way to determine if they are affected by the DNSChanger malware and provides links to organisations with instructions on how infected users can remedy the situation to ensure their connectivity doesn't suffer once the servers are taken offline.
The Australian site joins a number of services that have been set up worldwide, and which are designed to detect DNSChanger. According to the FBI, in 2007, about 4 million computers were infected across more than 100 countries.
The six criminals behind the operation were arrested and charged in November of 2011, but the FBI took control of the servers and replaced the fraudulent DNS entries with legitimate ones to stop infected users from being victimised by the malware. Their closure of the servers on 9 July will mean that affected computers will essentially point to a service that no longer exists.