Advertisment

DNSChanger malware: What it means for SMBs

author-image
CIOL Bureau
Updated On
New Update

BANGALORE, INDIA: Today (Monday), the FBI will shut down servers associated with the DNSChanger malware. As a result, computers still infected with this threat will likely no longer be able to access the Internet.

Advertisment

With the number of computers still infected with DNSChanger at least 300,000, this situation could be a challenge for many computer users, especially SMBs. As with companies of all sizes, SMBs rely heavily on the Internet for everything from day to day tasks to their ecommerce operations; this means an Internet “blackout” is a significant problem. Combined with the knowledge that SMBs often lack dedicated IT staffs, the DNSChanger situation could be a recipe for disaster unless the proper steps are taken. 

Symantec has responses by experts that can give useful insights:

Advertisment

Q: Why is the DNSChanger making news?

It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.

Q: What are these DNS settings and how do they affect me?

Advertisment

DNS is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

Q: So what does DNSChanger do then?

By changing a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address.

Advertisment

Q: If the FBI caught the international ring, why is there still a potential threat?

The FBI, through the court order, asked the Internet Systems Consortium (ISC) to deploy and maintain clean DNS servers in place of the rogue ones operated by the bad guys, to give users with compromised computers enough time to remove the threat. This is only a temporary solution however, and the servers operated by ISC under the court order will go offline on July 9, 2012. Once that happens, computers that are still compromised will lose access to the Internet, causing a "blackout". Latest statistics show that there are at least 300,000 computers still being redirected to the rogue DNS servers now being controlled by the FBI.

Q: Will the computers compromised by this threat only lose access to some sites?

Advertisment

No, all sites. Connectivity will be lost to the Internet. If your computer is still using DNS entries that are pointing to the FBI servers on July 9, you will lose total access to the Internet.

Q: How can I find out if my computer is compromised by DNSChanger?

A task force has been created, called the DNSChanger Working Group (DCWG) to help people determine if their computers have been compromised by this threat, and to also help them remove the threat. Users can go to the DNS Changer Check-Up page, maintained by the DCWG, to determine whether their computer is compromised or not. There are other pages in various languages maintained by other organizations listed on the DCWG’s Detect page. Various organizations are proactively informing users that their computers are compromised by DNSChanger. The FBI has also put together instructions on how to determine manually if a computer has been compromised or not.

In addition to detecting the malicious component, Symantec customers whose computer has been compromised by DNSChanger are notified through our endpoint products with a detection called SecurityRisk.FlushDNS. Our write-up contains more information and includes manual removal instructions. If a user is in doubt about how to change their DNS settings, they should contact their ISP or network administrator.

tech-news