You know things have gone sideways when NPR and local TV news are talking about the “Internet doomsday” or “Black Monday”. We have DNSChanger to thank for this latest bout of Internet paranoia, and there’s a ton of misinformation and craziness circulating about the malware. We’re here to provide some actual information, luckily for you.
So, here’s a short FAQ to help separate fact from fiction regarding DNSChanger.
What is DNSChanger and what can it do?
DNSChanger is a piece of malware that was used in a large click-fraud campaign known as Ghost Click. Once on a victim’s machine, the malware would hijack search queries and send users’ traffic through rogue DNS servers and on to sites that displayed ads for companies that were controlled by the gang behind the scam, earning them money for every click on those ads. The FBI helped take down the DNSChanger crew last year and at the time of the bust, estimated that there were several million PCs infected with the malware. That number is estimated to be around 300,000 infections now, a tiny fraction of the billions of IP-enabled devices on the Interwebs. When the FBI took down the gang behind this attack, it also took control of the rogue DNS servers and continued to operate them so that all of the infected users could still access the Internet.
What is a DNS server and why do I care which one my traffic goes through?
The DNS system is a global network of specialized servers that provide your computer with the IP address that corresponds to the URL you are trying to reach. So, for example, if you search for Threatpost on Alta Vista and then click on the link for Threatpost.com, your browser contacts a name server and says, “Hi, please give me the IP address for the URL Threatpost.com.” The name server will respond with a an IP address that your browser understands, and then your browser connects to the address and you wind up here reading this FAQ. This works properly billions of times a day, but there are ways for attackers to mess with the system, as the DNSChanger crew did, and route your DNS requests through a name server that they control. In those attacks, your browser doesn’t end up on the site you’re trying to reach and instead can be redirected to malicious sites.
So the FBI owns the DNS system?
Ok, just tell me already. I’m reading this on my lunch break.
No one “owns” the DNS system. It’s a network of millions of servers around the world that do the heavy lifting of name lookups as we talked about earlier. There are a small number of root nameservers that keep the master copies of the DNS records for the Internet, and they’re operated by private companies, universities and non-profits. What the FBI did is simply hand over operation of a small number of rogue nameservers used in the Ghost Click campaign to the Internet Systems Consortium. If the bureau had shut them off at the time of the raid, the DNSChanger-infected machines would not have been able to access the Internet because the nameservers they’d been using for lookups would be gone. Since the time of the arrests, the FBI, DHS and private security companies have been encouraging users to check their PCs for DNSChanger infection and then clean them if necessary. The court order allowing the ISC to operate these servers expires today, meaning they will be offline. Removing the infection *may* repair the DNS settings on infected PCs and enable them to route traffic through legitimate nameservers again. However, you may need to check the DNS settings manually and ensure this is the case.
How do I know whether I’m infected?
You can go to the DNS Changer Working Group site and use the detection tool.
So when they flip the switch to turn off these rogue DNS servers, does that shut down the Internet?
No, only wayward ship anchors and cat videos can do that. But, for users who remain infected by DNSChanger, it will look as if the Internet has taken its ball and gone home because their machines won’t be able to reach the public Web.
Could this happen again?
Sure. Malware gets better, not worse. Rogue DNS schemes like this are not new, attackers continually adapt and improve their tactics as they see how users and law enforcement agencies respond.