DNS Changer – A New Addition to the Realm of Malware

Malware is alive and well in our nations, as well as around the world. It has been a problem in the past, and is sure to be a problem in the future. As long as there are computers, there will be malware. There is no foolproof method of preventing malware infection. Malware comes in many shapes and sizes and can be very difficult for computer users to identify, much less remove from their system. While the majority of users are aware that they need to keep an active spyware protection program on their PC, some still haven’t come to terms with the fact that malware protection, such as ZookaWare’s SpyZooka, is equally important. The most dangerous element of malware is that it is constantly changing. Individuals set on utilizing malware for their own purposes generate new methods of infiltrating user computers frequently. Users must be vigilant and aware of the potential for harm.

As a contemporary example of malware, officials recently took down a group of cyber criminals responsible for DNS Changer malware. The group was made up of 6 Estonians and one Russian who were masquerading as Internet advertisers who were paid by-the-click. The FBI, NASA-OIG and the Estonian police worked together to put an end to the criminal ring’s harmful activities in 2011. The group had been operating under the company name Rove Digital since 2007 with one sole purpose: to distribute DNS changing Trojans (also known as: TDSS, Alureon, TidServ, and TDL4 viruses).

This particular cyber criminal group was very effective in reaching a large number of users. During the past year, the Internet Systems Consortium was court-ordered to operate replacement DNS servers for the Rove Digital network. The intention was to provide affected networks with the time necessary to identify infected hosts and avoid sudden disruption of services to the massive number of victimized computers. This temporary solution came to an end on July 9, 2012. Users still infected with the DNS Changer malware will have problems getting online even with a normal Internet connection.

Many still aren’t sure what the DNS Changer malware is capable of doing to their computer. It’s an especially nasty piece of malware that reroutes a PC’s web traffic without the knowledge or consent of the PC user. Rove Digital’s botnet altered DNS settings (without user knowledge or consent) in order to point unsuspecting computer users towards malicious DNS in data centers located in Estonia, New York and Chicago. Every web search begins with DNS. The user searches for a site by name (for example: www.blockbuster.com) and the DNS takes this information and uses it to find the accompanying IP address assigned to the website the user is searching for. This provided ample opportunity for Rove Digital’s malicious DNS servers to show users of infected PCs an altered version of the Internet that included: malicious answers, fake information, altered user searches, promotions of fake and/or dangerous products and services, etc.

Infection of a PC by Rove Digital’s DNS Changer malware essentially handed over control of web browsing to a cyber-criminal gang. The FBI released information indicating that the criminals benefitted from the malware by using their unprecedented web browsing control of so many users to replace legitimate advertising with their own. The group generated $14 million from their criminal activity. The process is referred to as “click hijacking” in reference to the pay-per-click advertising that’s currently popular amongst web advertisers. This seemingly simple act originally left more than 4 million infected computers in 100 countries. These numbers have decreased drastically since the discovery of the details of the operation, but users are still being urged to check their system for problems.

Users who fear their computer may be in danger of infection by DNS Changer or other, potentially dangerous viruses or malware should:

1.    Verify that software programs put in place to detect and protect their PC are active and functioning properly. Remove any malware from the system.**

2.    Create backups of vital and personal data stored on the computer/s. This will ensure that no data is lost in the event that a virus or piece of malware cannot be removed and the user needs to reformat and repair the hard drive.

3.    Infection by DNS Changer malware could leave the user with modified local DNS settings. Reset them manually. For step by step instructions on how to do this contact your Internet service provider.

4.    Routers may also have been affected using a password guessing technique. If the Trojan gained access to the router, the DNS inside will also need to be modified. Verify that the router is connecting to your service provider’s DNS servers by looking at the DNS settings of the router. If the DNS settings are set to an IP range that is part of the rogue DNS servers, it will need to be reset. IP ranges of the rogue DNS servers can be found at the FBI’s public service announcement. For additional instructions on resetting the router, contact your service provider.

5.    Users with router problems should also change the administrative name and password.

6.    Check to verify that operating system software is up to date, as malware can block automatic updates.

**Officials have recommended that anyone not running a Windows operating system or anyone not able to remove the DNS Changer malware from their system using accepted utilities and programs update the master boot record and reformat the hard drive. Some users may need to utilize the services of a local repair shop to complete this process.
DNS Changer has affected a large number of computers and users should actively prevent it from harming their PC by utilizing reputable and effective PC protection software and services. But, sadly, it is not the only virus or form of malware that poses a threat to PC safety. It is highly recommended that every PC user regularly verify that their system is free of the latest in malware threats through the use of a regularly updated malware removal product. A good recommendation is SpyZooka. The frequent updates to SpyZooka’s database of malware means that users are fully protected against groups that would hack into their system for personal gain. Computers will continue to be the focal point for many criminal activities, and users should be vigilant in accessing the best tools available for maximum PC protection.