Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Interview: How the DNSChanger malware works

Zafar Anjum | July 10, 2012
Many users have a chance of experiencing complete Internet outage if they remain unaware of this infection.

FBI has since seized the rogue DNS servers and the botnet's command-and-control (C&C) servers as part of Operation Ghost Click and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer's network configuration.

The figure below shows how DNS works:

How DNS work


Figure 1. How DNS works

With the ability to change a computer's DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP's legitimate DNS server's address to the rogue DNS server's address, in this case, advertisement websites.

The figure below shows how the DNSChanger malware works:

How DNS changers works 1

Figure 2. How DNSChanger works

 What can individuals or companies do to avoid facing an Internet blackout?

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Users can go to the DNS Changer Check-Up page, maintained by the DCWG, to determine whether their computer is compromised or not. There are other pages in various languages maintained by other organisations listed on the DCWG's Detect page. Various organisations are proactively informing users that their computers are compromised by DNSChanger. The FBI has also put together instructions on how to determine manually if a computer has been compromised or not.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.