DNS Changer - how not to lose your internet connection on July 9 [VIDEO]

Filed Under: Featured, Law & order, Malware, Video

On Monday, July 9, the much-talked-about DNS Changer 'internet blackout' will take place.

Hundreds of thousands of computer users could potentially be affected, if they don't take action now.

We've made a video to cut through the hype and help you avoid problems come Monday morning.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

The DNS Changer Working Group (DCWG), a cross-industry team of experts, has created a number of websites which offer to tell you automatically if your computer might have been affected by the DNS Changer malware. You can access that list here.

Please note that it is still strongly recommended that you scan your computer with an up-to-date anti-virus product, and although one of the DCWG-endorsed tests may give you peace of mind, there is nothing better than checking your DNS settings for yourself.

Further reading: Internet doomsday on July 9th? Don't panic! Take action


-

, , , , , , ,

You might like

33 Responses to DNS Changer - how not to lose your internet connection on July 9 [VIDEO]

  1. Socket0 · 787 days ago

    Am I missing something, or should this have been a trivial problem to solve? Instead of providing legitimate DNS entries, shouldn't the FBI have been redirecting infected users to a special FBI page explaining the problem and its solutions?

    • Paul Ducklin · 787 days ago

      My colleague Chester has already argued that the 'blackout' really ought to be considered a good thing - as he puts it, "a rude wake-up call, but an unfortunately necessary one":
      http://nakedsecurity.sophos.com/2012/02/05/dns-ch...

      He actually wrote that back in February, when these interim DNS servers were due to be turned off the first time...

      • Jason · 784 days ago

        I agree that the world needs a wake-up call when it comes to "hiding in plain sight" type of malware, but did the FBI really do everyone a favor by patching the compromised IP addresses instead of shutting them down all together back in 2007? How much greater would the impact have been if DNS services had stopped for people that were infected back in 07 compared to today? Most people learn through experience... Just saying.

    • blake · 787 days ago

      I agree - the best solution seems like simplicity itself - a simple redirect. God knows why it takes "a cross-industry team of experts" to produce a convoluted solution - and feed scare-mongering 'doomsday' scenarios.

      If I was of a conspiratorial mind, I'd suggest that the black-outs were deliberately manipulated - thus ensuring a large number of users are affected, blame it on bad guys, and leverage further internet restrictions... but I'm not, and it's probably just bureaucracy ... :)

      • Paul Ducklin · 787 days ago

        Hmmm. To run your "simple" redirect you'd need to run a set of DNS servers, _plus run a web server and host a bunch of content_ - and that would only solve the issue for DNS lookups conducted on behalf of a web browser.

        But to implement the current system, which you're calling "convoluted", you just need to run the DNS servers :-)

        • Jason · 787 days ago

          The last time I looked, the FBI has a web site (web server: check! [static] content hosting: check!). From day one, you get served a FBI page that says you have a trojan with instructions to fix it or seek help to do so. Coming up with an idea for the government to act as a DNS server instead of the countless valid ones in existence and run said program for a finite period of time, launch a major PR campaign to announce how the government has been "helping" you all this time with the program but no longer will as of an arbitrary date, and then black it out is convoluted.

          • JR1 · 785 days ago

            The average user try to open his / her favorite website (remember all non-browser internet thing work because the replacement DNS servers), but in the browser just a FBI warning popping up. This mean two thing:
            a) Virus, spyware or other bad thing infected the computer.
            b) The FBI seized the website domain.

            Actually no one or just a few people will read the instructions. But if nothing works (no web, no IM, no multiplayer games etc.), then you call your ISP or your favorite IT guy.

    • Lo Pan · 784 days ago

      The simple answer here is that the new york court order didn't allow the ISC/FBI to do this, they could only provide a valid DNS service.

      Whether or not it is a good idea is another question.

  2. Judi · 787 days ago

    Is this blackout thing affecting all PC's or are Apple computers affected too. Sorry, all this is new to me.
    Judi

    • Jason · 787 days ago

      Judi, DNS is universal so it could affect your mac. I don't know about the infection route and if mac is immune but it's worth checking your settings anyway.

    • nic · 787 days ago

      All computers are possibly affected. There are websites that will automatically check your DNS settings for you, just search for DNSChanger malware.

      • DNSChanger malware did come out for OS X as well, and over 5% of Mac-specific detections by Sophos Mac users over the last week were for DNSChanger malware.

        Something else to note is that at least one variant of the DNSChanger malware attempted to change the DNS settings on personal routers as well -- so even if you've been infected and cleaned up one of the computers on your network, it's still possible that all the computers on your network are pointed at the FBI DNS servers because your router is still misconfigured.

        If you find you can't resolve domain names come Monday, try resetting your router to factory settings -- or if you're able, log in and verify that your DHCP and DNS settings are pointed at your ISP, or your DNS settings are pointed at OpenDNS or GoogleDNS servers.

  3. Jason · 787 days ago

    If you're going to take the time to follow your good advice, you might as well drop your ISP's slow DNS server all together while you're in there. OpenDNS (208.67.222.222/208.67.220.220) is my favorite but there is also an easy to remember Google DNS at 8.8.8.8/8.8.4.4.

    • Mark · 787 days ago

      Why do ISP's bother with DNS at all? All it does is create havoc.

      • Without DNS, you'd be unable to access this website. If you resolve nakedsecurity.sophos.com, you'll (currently*) see the following:

        nakedsecurity.sophos.com is an alias for sophosnews.wordpress.com.
        sophosnews.wordpress.com is an alias for vip-lb.wordpress.com.
        vip-lb.wordpress.com has address 72.233.104.123
        vip-lb.wordpress.com has address 72.233.127.217
        vip-lb.wordpress.com has address 74.200.247.59
        vip-lb.wordpress.com has address 74.200.247.187
        vip-lb.wordpress.com has address 76.74.255.117
        vip-lb.wordpress.com has address 76.74.255.123

        *actual IPs are subject to change over time.

        The website itself is a vhosted server; if you attempt to get here using one of the IP addresses listed, you'll end up at a WordPress "This page doesn't exist" page, as the domain name is provided to the web server to serve up the appropriate content.

        So if ISPs didn't bother with DNS, we would all be responsible to maintain our own DNS locally (or through some third party service), which would be much less efficient, more complex to set up and maintain, and just as prone to security issues and general havoc.

  4. Sergio Maestre · 787 days ago

    Hello, Can the Sophos Removal Tool restore the initial DNS configuration in the endpoint? about DNS Changer

  5. ian · 787 days ago

    is this just a USA problem

  6. Gavin · 785 days ago

    Paul you are Australian stop pronouncing it a "rooter" just because our friends from the USA speak like that doesn't mean you have to.

    • Paul Ducklin · 785 days ago

      Firstly, I think you'll find that the pronunication "rowter" actually entered Australian English from the USA, where (some parts of the country) use the pronunciation "rowt-" consistently for the words "route", "routing" and "router" in the context of a journey.

      Secondly, I'm not Australian.

      Thirdly, I think you will find "rooter" an unexceptional pronunication in most dictionaries, notably including the Oxford Dictionary of English.

      And fourthly, whilst I generally stick to the pronunciations I learned when I was learning English, I don't see why I - or anyone else, for that matter - shouldn't use an American pronunciation if it doesn't affect clarity.

      (If you eschew American pronunciations, you have to eschew all American words, since - by definition - they have only American pronunciations. This sounds both petty and needlessly restrictive. How would you order "hash browns", for example? By mime? By gesture? And if you won't even borrow from the fellow custodians of our language, you'd better stop with the truly foreign load words...no more shampoo, no espresso, no ketchup, no brandy - and no whisky either, for that matter.

      Funny how this "rooter" thing has became a major issue for some people - even though they understood _perfectly_ well what I meant :-)

  7. Scott K · 785 days ago

    Has anyone else noticed how the media is blowing this way out of proportion? Over here in the US, they're calling it the "Internet Doomsday."

    • Paul Ducklin · 785 days ago

      Actually, if we treat it as an internet _Domesday_ (as in the name of the famous property survey book of AD1080, which was pronounced "doomsday" at the time, probably to the chagrin of @Gavin above :-), and use it as a chance to take census of our configuration settings...

      ...we shall all be better off!

      I, too, cringe at the "doomsday" predictions, and and the misuse that has been made of the statistic that "12% of Fortune 500 companies are infected". (This statistic actually means nothing more than that the company has at least one computer that has used a dodgy DNS server in recent memory - possibly in a deliberately-conducted test, for all we know.)

      But it _is_ at least a useful reminder, as I mention in the video, that you can remain AFfected by malware long after you are no longer INfected.

    • Internaut · 781 days ago

      That is what the news *medium is all about - tabloid style sensationalism. The medium changed it to media to get away fr4om sounding like a bunch of psychics - - and it is/was called "medium" because it is very Rare that it is ever Well Done.

      Plus, the medium considers itself the be-all, and end-all, of great knowledge, are the world teachers and no one else is right, nor are they wrong. We tune in in CNN, and HLN for a laugh. Then in the evening, maybe Nancy Disgrace on a witch hunt, or Jane Velez Bitchell rant on and on and never come to a point. Then, if we need a goo colon cleanse, a few minutes of the self-proclaimed health expert Dr. Slew.

      If they would stop getting their 'Internet' stuff from Snopes or stop reading from emails they get from a friend of a friend that says it's true because their friend is a lawyer/police officer/yaddayadda, that said Microsoft announced it (not!), then the real stuff might help people on up to mega-corporations protect themselves from the real problems.

      What is really needed in a Internet news channel is channel SOPHOS

  8. Susan · 785 days ago

    The FBI should have been doing something like "close the servers down every Monday".

    Users would all see that they have no Internet access every Monday... for a full year... before the servers would be closed permanently.

    Instead the FBI helped *HIDE* the problem for everyone.

  9. Donna · 785 days ago

    > "rooter" just because our friends from the USA speak like that

    Huh?

    No one in the USA says "rooter". They all say "r-out-er". In fact, after 20 years of listening, this video was the FIRST time I've ever heard anyone in the world say "roooooter".

    • Jack · 784 days ago

      From the US, I've always said 'rowter'. And if he was Australian, 'rooter' would mean something interesting.

  10. roy jones jr · 784 days ago

    Well the "checking' that Paul described in his video isn't so crazy. I mean all you have to do is check 2 devices. We all learned how to drive. So learning simple settings in Mac and Windows should be everyone's personal goal too. Don't let something as simple as an IP address change hamper you.

  11. Antonio · 784 days ago

    I pronounce it roWter but logic dictates that it should be pronounced rooter, it does, after all, route data packets to and from different connected devices.

    • Feralz Dad · 783 days ago

      So route is pronounced "r-oot" and not "r-out"? So how would you say the word invalid, as "in-val-id" or "in-va-lid"? English is a stupid language!! It has many words spelt the same but have two meanings. I only speak english and I don't like it.

      • Paul Ducklin · 783 days ago

        To increase the confusion, a "router" is also a power tool used by carpenters to carve edges on woodwork. In this meaning, it can _only_ be pronounced rowter.

  12. Something · 783 days ago

    Should DNSChanger be detected by up to date antivirus software?

  13. Paul Ducklin · 783 days ago

    In a word, yes. (There are lots of malware items which fall into the DNS Changer family, on both Windows and Macs. But a good anti-virus should be able to find them for you.)

    But remember, as explained in the video: even if you aren't INfected you may still be AFfected.

    This can happen when you delete the malware but don't review your DNS configuration aferwards. It can also happen if you use a clean computer on a network with a misconfigured router.

  14. DOM · 782 days ago

    I'm going to say rooter going forward too!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog