ALERT: DNS Changer Malware
On July 9, 2012, you may find yourself without an Internet connection. For some of the approximately 350,000 still infected with this trojan, this will be an inconvenience. For others, it will be a catastrophe. If you have a system that is connected to the Internet, and which plays a vital role in your business or personal use, you MUST act now to protect your interests!
This trojan is platform independent, which means both PC and Mac systems are affected.
What is the DNS Changer Malware?
On November 8, 2011, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
How can you detect if your computer has been violated and infected with DNS Changer?
An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.
For example, the http://www.dns-ok.us/ will state if you are or are not infected (see below).
- No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
- No changes are performed on your computer! Nothing is changed on your computer when you use sites like http://www.dns-ok.us/.
- No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.
If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).
The following table is a list of all easy “are you infected” sites. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.
|www.dns-ok.us||English||DNS Changer Working Group (DCWG)|
|www.dns-ok.de||German||Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)|
|www.dns-ok.fi||Finnish, Swedish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.ax||Swedish, Finnish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.be||Dutch/French||CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.|
|www.dns-ok.fr||French||Le CERT-LEXSI est la division de veille et d’enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.|
|www.dns-ok.ca||English/French||Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)|
|www.dns-ok.lu||English||CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT – CERT) coordination center for the Grand-Duchy of Luxembourg|
|www.dns-ok.nl||Dutch||SIDN (the Foundation for Internet Domain Registration in the Netherlands)|
|dns-ok.gov.au||English||CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information|
|dns-changer.eu||German, Spanish, English||ECO (Association of the German Internet Industry)|
|dnschanger.detect.my||Malaysian, English||Hosted by CyberSecurity Malaysia and MYCERT|
If you are not affected by DNS Changer then you need do nothing else.
For the official FBI press release regarding this issue, click HERE