DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as www.fbi.gov, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment—without them, you would not be able to access websites, send e-mail, or use any other Internet services.
Criminals have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or to interfere with that user’s online web browsing. One way criminals do this is by infecting computers with a class of malicious software (malware) called DNSChanger. In this scenario, the criminal uses the malware to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal. A bad DNS server operated by a criminal is referred to as a rogue DNS server.
Working with Estonian officials, the FBI was able to track down the perps — six Estonian nationals were arrested for the crime last November — and seize their servers. But given the number of computers estimated infected, the FBI opted to leave the servers running, ad-neutralized, to avoid disrupting Internet functionality for those unaware their computers were compromised. And to give users more time to purge, the FBI secured a court order on March 12, 2012 that authorized the Internet Systems Consortium (ISC) — a nonprofit corporation that supports the Internet’s infrastructure — to roll out and maintain temporary “clean” DNS servers. But since these servers cost money to operate, the plan has been to shut them off on July 9, 2012. When that happens, DNS-related Internet activity on infected computers, e.g. web and email, will cease to function.
To be clear, your Internet service itself will be unaffected by the change: If your computer is infected with the DNSChanger malware, your Internet router will keep routing and any commands sent by your computer that aren’t DNS-related will still pass. The FBI isn’t shutting off Internet service to impacted machines, it’s just pulling the plug on a stopgap measure designed to bandaid the broken process currently facilitating DNS communication on infected machines.
It is quite possible that computers infected with this malware may also be infected with other malware. The establishment of these clean DNS servers does not guarantee that the computers are safe from other malware. The main intent is to ensure users do not lose DNS services.
What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
Am I Infected?
The best way to determine if your computer or SOHO router has been affected by DNSChanger is to have them evaluated by a computer professional.
To determine if a computer is using rogue DNS servers, it is necessary to check the DNS server settings on the computer. An industry wide team has developed an easy “are you infected” web site, a quick way to determine if you are infected with DNSChanger. The site is designed for any normal computer user to check for the DNSChanger infection.*
After clicking the link below you will be presented with one of two screens: