DNSChanger: The Blackout is Coming!

Malware called DSNChanger has been, and continues to be, in the news and for very good reason. A whole lot of people stand to lose their Internet connectivity if they don’t take action before July 9. One of our concerned customers posed Symantec Security Response a number of questions recently in regards to what this threat is, how it works, and what it ultimately means to them (and other users like them). The following are the questions put to us with our responses.

Norton User: What is this DNSChanger making news at the moment?

Symantec Security Response: It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.

NU: What are these DNS settings and how do they affect me?

SSR: DNS is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.
 

Figure 1. How DNS works
 

NU: OK got it. So what does DNSChanger do then?

SSR: By changing a computer’s DNS settings, malware author’s can control what websites a computer connects to on the Internet, and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address.
 

Figure 2. How DNSChanger works
 

NU: Does Symantec protect me and other Symantec customers from this threat?

SSR: Yes, Symantec detects this threat as Trojan.Flush.K, which was originally named Trojan.Dnschanger. Furthermore, this detection has been in place since January, 2007.

NU: This might be a silly question, but why would the bad guys want to redirect me to rogue servers?

SSR: Actually it’s a pretty good question but the answer is as simple as it is common: money. Kevin Haley has written a good blog about the bad guys’ motivation and how they perpetrated this crime so I’ll redirect you to him.

NU: Interesting. But one thing I find curious is how old both this malware and crime are. In fact, Kevin Haley says that the bad guys got caught by the FBI at the end of last year!

SSR: Yes, that is correct. Actually the FBI has a good article about Operation Ghost Click, which is the investigation that caught the gang that perpetrated this crime. It’s definitely worth a read.

NU: So why all the fuss now?

SSR: I'm glad you asked. The FBI, through the court order, asked the Internet Systems Consortium (ISC) to deploy and maintain clean DNS servers in place of the rogue ones operated by the bad guys, to give users with compromised computers enough time to remove the threat. This is only a temporary solution however, and the servers operated by ISC under the court order will go offline on July 9, 2012. Once that happens, computers that are still compromised will lose access to the Internet, causing a "blackout" as it were.

NU: Surely you mean computers compromised by this threat will only lose access to some sites?

SSR: No, all sites. Connectivity will be lost to the Internet PERIOD. If your computer is still using DNS entries that are pointing to the FBI servers on July 9, you will lose TOTAL access to the Internet. No connecting to the office from home, no updating Facebook, nothing until the DNS settings are fixed.

NU: Surely this is an isolated threat and most people by now are not at risk of losing their Internet connection?

SSR: Au contraire. Latest statistics show that there are at least 300,000 computers still being redirected to the rogue DNS servers now being controlled by the FBI.

NU: So how can I find out if my computer is compromised by DNSChanger?

SSR: A task force has been created, called the DNSChanger Working Group (DCWG) to help people determine if their computers have been compromised by this threat, and to also help them remove the threat. Users can go to the DNS Changer Check-Up page, maintained by the DCWG, to determine whether their computer is compromised or not. There are other pages in various languages maintained by other organizations listed on the DCWG’s Detect page. Various organizations are proactively informing users that their computers are compromised by DNSChanger. The FBI has also put together instructions on how to determine manually if a computer has been compromised or not.

In addition to detecting the malicious component, Symantec and Norton customers whose computer has been compromised by DNSChanger are notified through our endpoint products with a detection called SecurityRisk.FlushDNS. Our write-up contains more information and includes manual removal instructions. If a user is in doubt about how to change their DNS settings, they should contact their ISP or network administrator.

NU: Why doesn’t Symantec products automatically fix the DNS settings for our users?

SSR: Symantec products do not restore the DNS settings on a compromised computer because we have no way of knowing what the original settings were. If the DNS settings are not restored correctly, the computer may lose access to the Internet.

NU: Is there anything else I need to know?

SSR: We host our own DNS servers that are configured to block unsafe websites, which is a product called Norton ConnectSafe. It’s pretty cool and totally free of charge.