DNSChanger to knock 350,000 users off Internet this July

The DNSChanger botnet is long dead, fixes for the malware have been around for months, but over 350,000 users still haven't fixed their computers or routers, so in July they'll be knocked off the Internet.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Every lousy day, here at ZDNet and all the other reputable technology news and opinions sites, we preach about basic computer security. Windows users are always the most vulnerable, but even Mac users can get hit as well. And, every lousy day, far too many people don't pay any heed to these warnings. Take the case of DNSChanger, which was fixed months ago but is still going to end up knocking hundreds of thousands of PCs off the Internet this July.

DNSChanger is a Windows and Mac Trojan that's been around since 2007. What it did was to cause Windows PCs and Macs to use rogue Domain Name System (DNS) servers. First, it changed your computer’s DNS server settings to replace your ISP’s good DNS servers with rogue DNS servers (PDF Link) operated by the criminal. Then, it tried to compromise your routers and home gateways. It did this by using the most default user names and passwords for small office/home office (SOHO) dynamic host configuration protocol (DHCP) servers. If successful, DNSChanger switched your router or gateway's default DNS servers to the rogue DNS servers. This in turn would make all the PCs on your LAN go to the corrupt DNS servers. This way a single infected system could compromise every PC on a network even if they didn't have an infection.

What happened then was that when you tried to go to a popular Website, like Amazon or iTunes, instead of seeing the content you'd expected, you'd see large advertisements or were rerouted to spam or malware sites. Adding insult to injury, DNSChanger also blocked access to anti-virus sites to prevent the removal of the malware.

Back in November, in Operation Ghost Click, the FBI shut down the botnet behind DNSChanger. In the meantime every major anti-virus company have updated their programs to find and smash DNSChanger. So, why in April, is is still a problem?

I'll tell you why, because out of the four-million or so people whose systems were infected with DNSChanger, 350,000 or so, slightly less than one in ten, still have it and still haven't fixed their computer or router's DNS settings. Argh!

You see after the FBI took down the botnet, it arranged to have the Internet Systems Consortium put up good DNS servers in place of the ones that were redirecting people into bad sites. This way those who had been infected would still be connected to the Internet. And, of course, so they could get fresh anti-virus software to clean up the bug and find out how to reset their DNS. Most people did. A lot of people didn't.

The FBI wants to shut down its servers for those who never bothered to clean up their systems. Originally the Feds were going to shut down the replacement servers in March, but last month a federal judge ordered an extension of the DNS services fix to July 9. This will give the clueless a few more months to give users, businesses and governments more time to deal with DNS Changer.

The clueless, by the way, aren't just individuals who never patch their computers and haven't updated their anti-virus software this decade. No, according to IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence,94 of all Fortune 500 companies and three out of 55 major government entities still had at least one computer or router that was infected with DNSChanger in March.

Is it any wonder that hardily a day goes by without news of yet another major Web site security breech?

To find out if you're infected, visit the DNS Changer Check-Up site, which checks your PC's DNS resolution without installing any software. If you do have a case, all modern, up-to-date anti-virus programs can remove DNSChanger.

After zapping it, you may still need to change your router's DNS settings if the bug got to it. To do this varies from router to router. Just follow your vendor's instructions. You can either choose to use your ISP's default DNS servers or, do like I do, and use the OpenDNS DNS servers, and, or Google's DNS servers, and8.8.4.4. Either tend to be faster than most ISP's DNS services.

Related Stories:

FBI shutters $14m major click-jacking fraud; 4 million computers affected

The malware numbers game: how many viruses are out there?

Kaspersky: Apple '10 years behind Microsoft in terms of security'

Huge Twitter spam campaign for fake antivirus discovered

Anonymous wants to take down the Great Firewall of China

Editorial standards