Categories: MalwareSecurity

DNSChanger and the FBI’s internet blackout on 8 March

For several days the news circulating online about a planned blackout of Int the rnet for million of users on 8 March decided by FBI to deal with cyber threats. The enemy to fight is named DNSChanger Trojan, a malware that has infected milion of computers all over the world in more than 100 countries. The story begins last year when in Estonia was arrested a group of person accused of having developed the dreaded trojan that seems to be able to spread with surprising ease.

What does the DNS Changer Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet. Under a court order, expiring March 8, the Internet Systems Corporation is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

To counter the threat the Federal Bureau of Investigation may shutdown several DNS (domain name servers) on March 8, with the undesirable side effect of blocking millions from using the Internet. DNSChanger is able to change inside the infected system the DNS settings hijacking web traffic to unwanted and infected sites. DNS translates domain names into the numeric IP addresses and lets users reach desidered websites, Windows and Mac OS X users are both vulnerable to this malware because it exploits the browser, not the operating system. A self-check of any PC can be easly done to make sure it is not infected. Comparing DNS setting to the list of rogue DNS servers it is possible to discover the infection.

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.25

The FBI has published a pretty decent guide to performing the self-check here. If you are infected by the DNSChanger Trojan, the FBI reminds us that this malware also disables security updates which could have further exposed you to other malware.

The measure is necessary because many organizations still have not removed the DNSChanger Trojan from infected systems, despite the fact that the botnet’s command-and-control infrastructure has been under the Federal Bureau of Investigation’s control for the past few months. The situation is curious because once discovered the cyber crime the FBI to give businesses and private individuals affected by DNSChanger time to cleanse infected systems has replaced the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. Replacing the command server the feds have prevented the worm propagation. The FBI took over the botnet’s command-and-control (C&C) servers in November as part of Operation Ghost Click.

The surrogate architecture used for the botnet takedown will operate until March 8, 2012 according the to FBI court decision. To avoid the blackout of the surrogate servers is needed that the court extends the order to take in place the substituded structures, in this way any computers still infected may be able to browse the web.

To get an idea of the prevalence of the malware according to the declaration of the cyber journalist Brian Krebs, Internet Identity believes DNSChanger infected “half of all Fortune 500 firms, and 27 out of 55 major government entities.”

But wow many people are infected?

To meet the threat was also set up a special task force to provide support for private companies and were given the necessary instructions to the removal of malware on the site DCWG.org. There’s no guarantee that the decision to extend the operation of surrogate servers would facilitate the global immunization.

While the shutdown may be a “bit of a shock” to the victims, it would ultimately be a good thing, Chester Wisniewski, senior security advisor at Sophos Canada, wrote on the Naked Security blog. “You can’t survive cancer by not getting tested. Keeping your machines infected so you can surf is not likely the best strategy,” Wisniewski said.

While the shutdown may appears as an excessive measure to the victims, it would be the right thing to do. Chester Wisniewski, senior security advisor at Sophos, wrote on the Naked Security blog. “You can’t survive cancer by not getting tested. Keeping your

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –DNSChanger , DNS-changer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.