Tuesday, April 24, 2012

Check for DNS-Changer Before July 9th

Hundreds of thousands of people are going to find that they can’t get their email or browse the web on July 9th, 2012. This isn’t part of the alleged Mayan prediction that the world will end in 2012, this is the fallout of a cybercriminal operation.

Perhaps you have heard of the malware called “DNS-Changer”. If you don’t know what malware is, it is short for “Malicious Software”. If you aren’t sure about “malicious software” then you would probably call it a computer virus.

If your computer is infected with the DNS-changer malware then you are surfing on borrowed time. I’ll explain the problem and what you need to do about it.

Every computer on the internet has an IP address. Think of it like the address for a house. Each computer has an address, and all web pages are housed on computers. When you want to go to Google, you can type in www.google.com like in the example below.

The reason you can type in Google.com is that there are special computers on the Internet called Domain Name System Servers, or DNS Servers. When you type in a web address the information is sent to a Domain Name Server and then translated to the actual address of the computer you are looking for. You actually can type in the address of the web site you want, if you know it. For example, Google is at, so, as you see in the address bar below, I can type the address in instead of the friendly name www.google.com.

Usually you use a DNS server that your Internet Service provider supplies when you are at home, or when you are traveling the access point (often Wi-Fi) will also provide that information to your computer. You can choose your own DNS server if you want to and know how to. This is where the malicious software (malware) we call DNS-Changer comes into the picture.

When computers got infected with DNS-Changer it made changes to the computer or router that would force the computer to use DNS Servers that were controlled by the criminals. The FBI, in conjunction with the government of Estonia and others caught the criminals and took control of the bad DNS servers. The problem is that if they simply shut down the servers, the Internet would have stopped working for millions of infected computers. The FBI enlisted the help of the good guys at the ICS (Internet Systems Consortium) to maintain the DNS servers until people’s computers could be fixed. Initially the ISC was supposed to stop providing assistance in March, but there were still so many infected computers that it was decided they would keep the systems in place until July 9th, 2012. As of April 2012 there are still over 300,000 computers that are infected and nobody but the owners of the computers has the right to fix them. If your computer is one of the infected computers then on July 9th you will no longer be able to receive email or surf the Internet until your computer is fixed. The DNS-Changer malware appears to have affected Macs as well as PCs, so don’t make the mistake of thinking that your Mac is immune.

Fortunately, it isn’t very hard to test to see if your computer has the DNS problem.

You can simply go to http://www.dcwg.org/ to check and see if your computer is affected and then fix it if need be. Don’t wait until July 9th to do this because if your computer is affected then you won’t be able to get to the web site to test or fix it!

Recently http://www.dcwg.org/ has been unavailable at times, so http://www.dns-ok.us/ and http://dns-changer.eu/ are also safe sites to help you test for the problem.

There is also another potential problem. If you have a router and you did not change the default administrator password when it was installed, the malware could have changed the DNS settings in the router. To check the DNS settings on the router you will need to refer to the owner’s manual for your router. If you don’t know where you put your owner’s manual then you can almost certainly download a new one from the vendor’s web site.

If you have a business, you might want to share this information with your customers. Although your computer may be healthy, if your customers have the problem they will not be able to email you or reach your web site after July 9th until they get their computers fixed!

There are a couple of other side effects of the DNS-Changer malware. If your computer is infected then Windows Update has not been downloading security updates. Go to Windows Update and make sure you have all of the security updates. Your antivirus software will not be functioning properly if DNS-Changer is present. Make sure your anti-virus software is up-to-date as well.

It is a great idea to set reminders to verify that your antivirus software is updating properly and that your computer is up-to-date with security patches as well. I recommend checking this every week, but even once a month would be fine. You also need to make sure other software is current, but I’ll save that for another blog!

If you can’t connect to the Internet on July 9th and you call your ISP for assistance, they’ll probably actually know what the problem is... Perhaps that is why the Mayans thought the world is going to end this year!

Randy Abrams
Independent Security Analyst
© 2012

No comments:

Post a Comment