What is the DNS Changer Malware?

On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.

What does the DNS Changer Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.

Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

How Can I Protect Myself?

This page describes how you can determine if you are infected, and how you can clean infected machines. To check if you’re infected, Click Here. If you believe you are infected, here are instructions on how to clean your computer.

http://www.dcwg.org/

DNS Changer Infrastructure and TDSS/Alureon/TidServ/TDL4 Malware (Update)

Number: IN11-002
Date: 9 Nov 2011

UPDATE:
A court order to extend the deadline has been approved. The Internet Systems Consortium will continue operating the replacement DNS until 9 July 2012.
For more information, please visit the following: http://www.dcwg.org/

Purpose

This product provides information and mitigation advice to IT Security Specialists and potential victims of DNSChanger malware. Its goal is to assist with the detection and mitigation of the risks of such malware.

Assessment

Recently, the FBI uncovered a network of Domain Name System (DNS) servers controlled by cyber criminals. The FBI worked in collaboration with international law enforcement agencies and the cyber security community to disable these malicious DNS servers. Unfortunately, this malicious infrastructure has been used for over 3 years to steal personal information from millions of people around the world. Cyber criminals managed to infect these users'computers with malicious code that changes the users' DNS configurations to forward all their web content requests to a rogue DNS rather than a legitimate one. As DNS is necessary for most internet activities, the FBI implemented a plan for a trusted private-sector, non-government entity to operate and maintain a clean DNS server for the infected victims until they can be identified and notified. The IP addresses of potentially affected systems will be provided to the appropriate ISP and Computer Emergency Response Teams (CERTs) for victim notification.

The FBI public announcement can be found here: http://www.fbi.gov/DNS-malware.pdf

- UPDATE -

The cyber security community website on DNSChanger can be found at:http://www.dcwg.org/

Under the U.S. District Court Order currently in place, Internet Systems Consortium (ISC, http://www.isc.org/) was authorized to install, monitor and administer replacement DNS for the victims until the 8 March 2012. At this date, it is expected that victims from the DNSChanger malware associated with this operation could lose Internet connectivity, because DNS is necessary for common use.

An extension request has been submitted and is pending approval before the U.S. Court for ISC to operate replacement DNS until 9 July 2012, which is referenced at:

http://krebsonsecurity.com/wp-content/uploads/2012/02/dnschangerextension.pdf

The Canadian Internet Registration Authority (CIRA) is hosting a web-based tool to detect whether Internet users are affected by associated DNSChanger malware. This tool can be found at:

http://www.dns-ok.ca/

http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-002-eng.aspx.