BTA Blog Rotating Header Image

April, 2012:

DNSChanger malware

If you use default passwords on your home or office gateway/router, then you maybe at risk from the DNSChanger malware.  This can affect how your computers translate domain names such as apple.com, microsoft.com and other domain names to the unique Internet Protocol (IP) address such as 198.51.100.1 that we ultimately depend on to access other computers.  A company in Estonia called Rove Digital has been operating since 2007 and may have affected more that 500,000 computers in the United States alone.  If your computer is affected, it will fail to access the Internet after July 9, 2012.

The Domain Name System (DNS) is a critical Internet service that converts user-friendly domain names, such as www.fbi.gov, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

  1. The malware changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.
  2. The malware attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

The following table list sites setup to help you determine if your computer is affected.

URL

Language

Maintainer

http://www.dns-ok.us/ English DNS Changer Working Group (DCWG)
http://www.dns-ok.de/ German Bundeskriminalamt (BKA)
Bundesamt für Sicherheit in der Informationstechnik (BSI)
http://www.dns-ok.fi/ Finish CERT-Fi
http://www.dns-ok.ax/ Swedish CERT-Fi
http://www.dns-ok.be/ Dutch/French CERT.be
http://www.dns-ok.fr/ French CERT-LEXSI
http://www.dns-ok.ca/ English/French CIRA and CCIRC
http://www.dns-ok.lu/ English CIRCL
http://dns-ok.nl/ Dutch/English SIDN

For more technically oriented people the following is a list of IP address the criminals used for their activities.

List of Rogue DNS Server Addresses

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

For more information see the following links:

http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

DNS Changer Working Group (DCWG)

http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business

Update 2015-01-02: Many sites linked from this page are no longer available.