DNSChanger to knock 350,000 users off Internet this July
Summary: The DNSChanger botnet is long dead, fixes for the malware have been around for months, but over 350,000 users still haven't fixed their computers or routers, so in July they'll be knocked off the Internet.
Every lousy day, here at ZDNet and all the other reputable technology news and opinions sites, we preach about basic computer security. Windows users are always the most vulnerable, but even Mac users can get hit as well. And, every lousy day, far too many people don't pay any heed to these warnings. Take the case of DNSChanger, which was fixed months ago but is still going to end up knocking hundreds of thousands of PCs off the Internet this July.
DNSChanger is a Windows and Mac Trojan that's been around since 2007. What it did was to cause Windows PCs and Macs to use rogue Domain Name System (DNS) servers. First, it changed your computer’s DNS server settings to replace your ISP’s good DNS servers with rogue DNS servers (PDF Link) operated by the criminal. Then, it tried to compromise your routers and home gateways. It did this by using the most default user names and passwords for small office/home office (SOHO) dynamic host configuration protocol (DHCP) servers. If successful, DNSChanger switched your router or gateway's default DNS servers to the rogue DNS servers. This in turn would make all the PCs on your LAN go to the corrupt DNS servers. This way a single infected system could compromise every PC on a network even if they didn't have an infection.
What happened then was that when you tried to go to a popular Website, like Amazon or iTunes, instead of seeing the content you'd expected, you'd see large advertisements or were rerouted to spam or malware sites. Adding insult to injury, DNSChanger also blocked access to anti-virus sites to prevent the removal of the malware.
Back in November, in Operation Ghost Click, the FBI shut down the botnet behind DNSChanger. In the meantime every major anti-virus company have updated their programs to find and smash DNSChanger. So, why in April, is is still a problem?
I'll tell you why, because out of the four-million or so people whose systems were infected with DNSChanger, 350,000 or so, slightly less than one in ten, still have it and still haven't fixed their computer or router's DNS settings. Argh!
You see after the FBI took down the botnet, it arranged to have the Internet Systems Consortium put up good DNS servers in place of the ones that were redirecting people into bad sites. This way those who had been infected would still be connected to the Internet. And, of course, so they could get fresh anti-virus software to clean up the bug and find out how to reset their DNS. Most people did. A lot of people didn't.
The FBI wants to shut down its servers for those who never bothered to clean up their systems. Originally the Feds were going to shut down the replacement servers in March, but last month a federal judge ordered an extension of the DNS services fix to July 9. This will give the clueless a few more months to give users, businesses and governments more time to deal with DNS Changer.
The clueless, by the way, aren't just individuals who never patch their computers and haven't updated their anti-virus software this decade. No, according to IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence,94 of all Fortune 500 companies and three out of 55 major government entities still had at least one computer or router that was infected with DNSChanger in March.
Is it any wonder that hardily a day goes by without news of yet another major Web site security breech?
To find out if you're infected, visit the DNS Changer Check-Up site, which checks your PC's DNS resolution without installing any software. If you do have a case, all modern, up-to-date anti-virus programs can remove DNSChanger.
After zapping it, you may still need to change your router's DNS settings if the bug got to it. To do this varies from router to router. Just follow your vendor's instructions. You can either choose to use your ISP's default DNS servers or, do like I do, and use the OpenDNS DNS servers, 208.67.222.222 and 208.67.220.220, or Google's DNS servers, 8.8.8.8 and8.8.4.4. Either tend to be faster than most ISP's DNS services.
Related Stories:
FBI shutters $14m major click-jacking fraud; 4 million computers affected
The malware numbers game: how many viruses are out there?
Kaspersky: Apple '10 years behind Microsoft in terms of security'
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
So the government was REALLY doing them a favor? I doubt that.
I have several problems with this:
1. If you didn't know that you were infected how will you find out if your internet experience is unchanged? Dead DNS servers would give even the most clueless users a chance to realize something is wrong and call in qualified help to fix it.
2. What exactly does the government gain by providing this service? Any one that runs a DNS server can monitor who accesses it and what they are accessing. Call me paranoid but to me that implies that the government wants people to access their pwnd servers to track what is being accessed. How is this any better then the "real" crooks that sent out the virus to begin with?
3. Most of the people forced into this situation don't have proper protection so for months they continued to be open to OTHER infections and angles of attack and this is prolonged by the government providing these "replacement" servers to begin with.
4. This is NOT a good thing for the government to be doing and we are put at greater risk FROM the government because of their so called act of good will.
Is is just me or does the air smell really bad now?
Smells bad man
Sorry, I disagree.
More than 90% of people [b]did[/b] fix their systems. So yes, apparently they were notified somehow.
"What exactly does the government gain by providing this service?"
Taxpayer money. We give them money to do their job, and they do it.
Of course, you can tinfoil this to death, I'm sure, but I see no reason to claim malicious intent here.
Not to mention the service is getting shut down, which is [b]NOT[/b] in line with your claim that the government wants to track people with this. So this appears to be evidence against your claim, not for it.
"Most of the people forced into this situation don't have proper protection so for months they continued to be open to OTHER infections and angles of attack and this is prolonged by the government providing these 'replacement' servers to begin with."
350 thousand out of four million people fixed their systems. You need 50% to get "most," and this is closer to 9%.
"This is NOT a good thing for the government to be doing and we are put at greater risk FROM the government because of their so called act of good will."
I find your conclusion to be invalid, as it appears to be based on pure speculation and is not backed up by any of the evidence. There is no evidence of malicious intent in this case.
Informative
A bit of searching on the net and it seems this trojan won't infect your machine, unless if you're surfing the net with admin account or has installed some rogue games or applications which has this DNSChanger payload.
A little late, but better late than never
350K machines off the net. Maybe some sites will speed up a bit.
Should we be recommending Google DNS Servers?
Specifically, is Google logging every site that people visit? Is is using all the other information it has about people in order to build highly detailed profiles of users? Example: Let's say you're logged into a Google account and also use the Google DNS servers. Is Google tracking every site you visit and using that information to help line its coffers?
The bottom line is that I'll use Open DNS but not Google's DNS servers.
And what makes OpenDNS any better?
From the Privacy Policy on OpenDNS website:
"OpenDNS Service Usage Information
OpenDNS runs a Domain Name System (DNS) service. DNS translates a domain name (e.g., http://www.example.com) into the corresponding numerical address (e.g., 192.0.34.166) that allows your system to access the domain over the network. When you use OpenDNS services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our service, to provide you with OpenDNS services and for internal business and analysis purposes."
http://www.opendns.com/privacy/
Running a DNS server is expensive?
How did you reach such conclusion? One can run an reasonably performing public DNS server from their home, today. It does not require any significant processing power, either. Your desktop PC will do.
Reply to danbi below.
So you are allowing thousand of people to use your home DNS sever? Somehow I doubt you have the bandwidth or CPU power to handle THAT kind of load.
Move & Up @@@@@@@@
Real and Imaginary - the difference
The difference between what is real and what is imagined is so stark that is not even funny. Its also a fact that the third world war would be most likely on the Internet and electronic front.
And, MAC being 10 years behind Microsoft in virus prevention is now old news.
We should stop being dependent on so many people on our privacy, security and knowledge. Online courses are available to help people. They range from courses on ethical hacking to computer security [like this one http://www.wiziq.com/course/3706-computer-security-and-ethical-hacking-training-by-ankit-fadia here] which help everyone come up to speed on the threats in the modern world. These are limited not just to computer but also Internet, mobile, ATM and more. Its a scary thought but needs to be tackled as soon as its possible.
I don't understand
Am I missing something? It just seems so obvious.
it's obvious, and proper method
Chances are the vast majority, especially ones in big companies are old unused systems just sitting there. Every big company I've worked on had these types of "don't touch" systems 'cause somebody might still be using it. I know of a server running NT 3.5, still up and running in 2011--not sure if it survived to 2012. No plans to shut down. Nobody is using it, but management is afraid--of themselves.
Just shut them down. Eventually, some month or year, someone might realize the system hasn't had DNS for a few years. Probably because it wasn't important to function, or hadn't been functioning in years.
Data collection
If they redirect the user right away to such a site, they won't see any of their other activity.
"If they redirect the user right away..."
Use your ISP's DNS servers!!!
"You can either choose to use your ISP???s default DNS servers or, do like I do, and use the OpenDNS DNS servers, 208.67.222.222 and 208.67.220.220, or Google???s DNS servers, 8.8.8.8 and8.8.4.4. Either tend to be faster than most ISP???s DNS services."
Is wrong!
If you cannot run your own, DNSSEC validating DNS resolver, then use your ISPs DNS servers. In that order.
If you value your privacy and want to seen the real, unaltered Internet, do not even think of using any "public" DNS server. Especially Google's.
Also, avoid using your router's DNS capability if possible. Most routers/gateways have broken DNS implementations. Many 'routers' won't let you bypass their captive portals, so you may wish to consider a different make/model.
The DNS is now DNSSEC capable. If you run your own DNS resolver, that uses DNSSEC, best on your own computer, then no man in the middle can redirect you from any site that uses DNSSEC.
Many large ISPs, for example Comcast in the US are offering DNSSEC enabled DNS services. Google's "public DNS" has had DNSSEC broken (not checked right now), perhaps because they don't want you to be able to tell whether they have modified the DNS (what you see from Internet) for you or not.
How about the rest of us?