Sophos Cloud Optix
Here in SophosLabs, we have been receiving a fair number of requests from the general public asking about the supposed “internet doomsday”, said to strike on July 9th, which will leave “hundreds of thousands of internet users without internet access”.
In the immortal words of Douglas Adams: Don’t Panic
First, let’s back the train up into the station and give you a quick history on this.
Back in November 2011, the FBI seized control of a bunch of rogue DNS servers that were being used by the bad guys to redirect PCs infected with the DNS Changer malware machines to various scams with the intention of making money.
More than 350,000 computers around the world are thought to still be using the DNS servers, which have now been made harmless. But it’s US taxpayer dollars which are keeping the DNS servers up and running, and that’s not a situation that can carry on indefinitely.
The best solution is for people to fix the DNS settings on their computers.
The original plan was for the the DNS servers to be shut down on March 8th 2012, but the FBI has asked for more time, delaying the shutoff date to July 9th.
Essentially the FBI is trying to give innocent folks time to clean their machines up.
And computers should be fixed – because if the DNS servers go down, any computer relying on them for DNS name services will cease to be able to browse the web, read email or do just about anything on the internet at all.
The issue is discussed in greater detail in Sophos Chet Chat podcast 86, that was published last month. (The DNS Changer part of the podcast starts at 4’30”.):
Now a bit of good news for Sophos customers, Sophos can detect various variants of the DNS Changer malware under names such as Troj/DNSChan-A.
Furthermore, Sophos products can detect if your computer is one of the ones whose DNS settings have been meddled with – identifying them as CXmal/DNSCha-A, and help repair the damage.
And finally, if you want to see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).
The FBI also has a look-up form on its site.
If you were one of the unfortunate people whose computers were hit by the DNS Changer malware, your access to the internet does not have to disappear on July 9th.
Take the right steps now to avoid a headache later.
Here’s a video where Paul Ducklin explains more:
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
Ludo game image, from ShutterStock
All very interesting, of course…….but exactly what steps am I supposed to follow to check this out? I, and probably others, need a simple list of instructions as to what to do!!
Visiting http://www.dcwg.org/detect/ is probably the easiest thing to do.
https://forms.fbi.gov/check-to-see-if-your-comput…
Ran the check, but it tells me if the ISP is changing it for me, I could be infected & pass the detect test! What then?
I have AVG free version and sophos, registry cleaner too and am usually very careful where I link to. I think a lot of people are like me, just cautious, but I suppose even so almost anyone can be caught by some malware. You only have to be distracted, unthinking, careless once! My hotmail account was hacked and it was a little while before I discovered it. In fact, hotmail noticed unusual traffic and blocked it, thank goodness. I had broken my own rule- clicked a link in an email that seemed authentic at first look, with a fb message.
[quote]And finally, if you want to see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).[/quote]
If you actually read the thing you would find the info there along with a link to the site that does the actual checking which is the same link that Graham posted, it's not rocket science people!
The original plan, as the article points out, was to shut down the rogue DNS servers on March 8th. So we're already into dead time.
Why not shut down the DNS servers for an hour each day, cycling around the 24 hour clock (so that it impacts users globally), then increasing this to two or three cycling four-hour periods until the final cut-off?
If users don't already have A/V (or it's not up-to-date) then telling them now that they might be at risk won't change their attitude. Appearing to cut off Internet access would be a far more effective way of highlighting the issue to those at risk.
Better still, have these DNS servers redirect all requests to a farm of servers that simply present null services (Web and Mail are probably the biggies) with messages explaining the problem and offering suggestions for a fix.
I also ran the check & was told the same thing.When I went back to the previous page before the test,I found out that there was a way to manually check to see if you were using a DNS Changer server. The directions were clear,easy & could be carried out without leaving the page.After I did the manual check, I found out that my OS had a tool to remove the malware.I ran the tool,which did take more than 3 hours to check every file on both my C: & D: drives.
RE: the manual check (using ipconfig in command prompt on Windows) – wont this simply return the IP address of the router, if one is being used? i.e. 192.168.x.x
Assuming most people use routers, these days (they do, don't they?), it would surely be helpful for the linked pages to note that it is the router's DNS IP settings that need comparing to the known malicious settings?
My ISP in the UK states which DNS server IPs to use, not my PC. So that is set in the modem set-up process and is set to use just the two IPs given and is not using the automatic method.
Therefore the modem has manually set IP addresses for which servers it should use, the PCs on the Ethernet network do not control them, as far as I know, so unless the malware can change the modem settings then it cannot infect such devices surely?
Although the XP Pro service ‘DNS Client’ is running, I’m not sure whether it needs to be or what effect it has on our networked systems ability to access each other and the Internet via the ADSL modem. I suspect it’s more a case of using that to allow the ‘Hosts’ file to be read to avoid unwanted nefarious address translations?
Is it the case that this malware might affect some PCs that do not use a modem/router for ADSL access to their ISP? Or is it something more specific to the way the Internet is accessed in the USA?
Yes and no. What happens is that your router will set your PC's address by DHCP, and that'll include the DNS server which, in most cases, will be the router itself as you said.
However if a malicious program makes the PC look to a malicious DNS server instead your router will most likely simply forward the requests to that server just the same as it would forward anything else.
OTOH your router could be configured to block any DNS request to servers other than itself.
Just depends.
Thank you. I have people starting to ask me about this. They saw articles in various newspapers with "…For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections…". Now I can send them something to check for themselves.
Just enter the IP address of the website
More than 350,000 Computers, so basically its going to around that number of computers that are infected and compared to the amount of computers in the world i wouldn't call this an "internet doomsday" its more of another issue the internet faces every now and then, now if the number was in the millions then i could agree on calling it an "internet doomsday".
so. the right steps. What are they?
Since the malware was stopped last November would it affect computers purchased more recently?
Go to the website and see if you are ok then you're fine. No worries. I feel sorry for those who don't know how to take care of their computers. If you get the hint.
u didnt specify which OS is vulnerable. i believe this applied to microsoft users only. linux/ubuntu is the way to go guyz.
We saw DNS Changer malware for Windows and Mac.
Of course, if your Linux/Ubuntu box is using a router that was also being used by an infected Windows/Mac computer then you could also be affected.