Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Interview: How the DNSChanger malware works

Zafar Anjum | July 10, 2012
Many users have a chance of experiencing complete Internet outage if they remain unaware of this infection.

Monday, 9 July, was supposed to be ‘Internet Doomsday’ when the US’ Federal Bureau of Investigation (FBI) was to shut down servers associated with the DNSChanger malware. As a result, computers infected with this threat were to be cut off from the Internet.

According to an IDG report, the FBI estimated that only 41,800 computers remained infected by DNSChanger as of Sunday night, and some Internet service providers have been offering their own solutions to keep customers online.

So far, the cutoff day has been free of catastrophes, reports the IDG. We asked Eugene Teo, manager, security response, at Symantec, about this malware and how it was going to affect computers in Asia.

FBI will shut down servers associated with the DNSChanger malware. Will this affect servers and computers in the Asia Pacific region?

Yes it will. According to DNSChanger Working Group (DCWG), globally there are at least 210,851 unique Internet protocol (IP) addresses as of 8 July 2012, of which 619 are from Singapore, still being redirected to the rogue DNS servers now being controlled by the FBI. Our research has found the DNSChanger malware to affect computer systems operating on Windows and Mac only. It is also worth noting that the volume of "unique IPs talking to the clean DNS servers" under counts the total number of infections while the estimates built around unique browser IDs demonstrate a higher total infection count.

While it seems as if FBI has rectified the issue, shutting down the temporary server is only a temporary measure. Once that happens, computers that are still compromised will lose connectivity to the Internet in its entirety. In other words, infected PCs and servers will no longer be able to connect to any websites.

 How serious is this threat? Why does FBI want to take this extreme step? And does FBI, a US federal government agency, have the authority to do it at a global level?

While we're unable to determine FBI's motivation, the fact that there are globally at least 210,851 unique IP addresses still being redirected to the rogue DNS servers indicates that many users have a chance of experiencing complete Internet outage if they remain unaware of this infection.

 Can you tell us a little about the DNSChanger malware? What about its origins and what does it do?

DNSChanger is a malware that changes the Domain Name System (DNS) settings on the compromised computer. Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name "Rove Digital" and used the malware to manipulate users' Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users' anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

 

1  2  3  Next Page 

Sign up for Computerworld eNewsletters.