Infected Computers to Lose Web Access When FBI Band-Aid Falls Off
The safety net that federal authorities set up several months ago as a countermeasure to a massive malware scam will be shut down in July. When that happens, computers that are still infected with the malware, known as "DNSChanger," may be completely unable to access the Internet. The FBI and other groups have set up tools to diagnose and mend affected computers.
Apr 23, 2012 11:58 AM PT
Come July 9, about 350,000 computers in the United States alone may lose access to the Internet because they had previously been infected with DNSChanger malware.
The malware stealthily redirected victims accessing various websites to rogue servers controlled by a cybercriminal ring.
Six of the seven alleged cybercrooks were arrested in November as part of a two-year operation by the United States FBI and foreign law enforcement agencies. They have been charged in a New York court.
The FBI then obtained a court order authorizing the Internet Systems Consortium to deploy and maintain clean DNS servers until July 9.
It also took other actions, including setting up a page you can use to see whether your DNS address is among those affected.
Owners of computers at risk are mainly responsible for fixing the problem because "if a business or consumer doesn't know there's a problem, it's a symptom of ignorance, and fixing the problem for them this time does nothing to address the long-term problem of failing to learn to use a computer securely," Randy Abrams, an independent security consultant, told TechNewsWorld.
The Root of the Problem
The DNSChanger malware used by the cybercriminal ring replaced the DNS server settings of infected computers with the settings of rogue servers owned by the syndicate. It also tried to access users' routers or home gateways using common default usernames and passwords. If it succeeded, it changed the DNS server settings on these devices to those of the cybercriminals' rogue servers.
DNSChanger also prevented infected computers from receiving antivirus or operating system updates that might have detected and stopped it, the FBI said. This also left the infected computers open to attack by other viruses.
The FBI lists ways to check DNS server settings on PCs, and it recommends that readers check settings on wireless access points or routers as well whether their computers are connected to these.
"The real work now is educating consumers and businesses to properly maintain their computers," Abrams said.
The Role of the ISP
Internet Service Providers not only provide access to the Web, but in cybersecurity legislation now under consideration, they would also have to share information about their users with various federal agencies as well.
Should ISPs shoulder more responsibility for protecting users from malware attacks and do more to mitigate the effect of the DNSChanger malware?
"Many ISPs are geographically distributed, meaning that they have to obey several sets of laws," Sorin Mustaca, a data security expert at Avira, told TechNewsWorld.
However, Internet service providers (ISPs) should also shoulder part of the blame, as "some ISPs make it simple for cybercriminals to commandeer email accounts because they won't use basic security practices," Abrams said.
The DNS Changer Working Group
The FBI directs people who suspect they've been hit by the DNSChanger malware to the website of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG). However, the site was offline when TechNewsWorld visited it at press time.
"I suspect that in the past few days, the site has been overwhelmed with people testing their computers," Abrams suggested.
Remedies for DNSChanger Infections
Avira has released a free tool that's "completely independent" of its security products and can be used by people who have other security software on their computers. It "detects if some known IP addresses are written in the registry which overwrite the default DNS settings and replaces them with default values if found," the company's Mustaca said.
"I would certainly trust Avira's tools," Abrams said. He suggested two other sites computer users can visit to check whether their PCs are infected. One is the DNS-OK.us site and the other is an anti-botnet advisory center set up by the German Internet industry with funding from the German government.
These two sites make it easy to check whether or not a PC is infected. Going to them produced results within seconds.