Has Google said your PC is infected with DNS Changer malware?

Filed Under: Featured, Google, Malware

Google reckons that up to 500,000 internet users, whose computers were impacted by the DNS Changer malware, will see the following message in the next week alone:

Google warning message

Your computer appears to be infected

We believe that your computer is infected with malicious software. If you don't take action, you might not be able to connect to the internet in future.

Learn how to remove this software.

Let's backtrack a little and explain why this is happening.

Until November last year, a group of cybercriminals were using a bunch of rogue DNS servers to redirect PCs infected with a family of malware called DNS Changer to webpages and adverts that helped them make money.

The FBI seized control of the servers, and made them harmless. But hundreds of thousands of affected computers continue to use them. As we've described before, the FBI is going to shut down the servers on July 9th - meaning that those computers, if their owners do nothing about it, could lose access to the internet.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

The best solution is for those affected to fix the DNS settings on their computers, but a method has to be found to inform those internet users who are impacted. And that's why Google is joining the awareness campaign.

I think we should applaud Google for what's it doing, as anything which warns computer users about genuine security issues has to be a good thing.

But, sadly and inevitably, there is clearly the potential for cybercriminals to mimic the Google warning and direct users to dangerous downloads and scams.

The danger is that many people may know what their own anti-virus software looks like when it displays a warning, but may be less familiar with how the Google warning presents itself, and where it links to.

I hope we won't see any cybercriminals try to take advantage of Google's initiative in the hope of lining their own pockets.

Sophos products detect various variants of the DNS Changer malware under names such as Troj/DNSChan-A.

Furthermore, Sophos products can detect if your computer is one of the ones whose DNS settings have been meddled with - identifying them as CXmal/DNSCha-A, and help repair the damage.

And, if you want to be proactive and see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).

The FBI also has a look-up form on its own site.

, , , , ,

You might like

14 Responses to Has Google said your PC is infected with DNS Changer malware?

  1. Xorinzor · 1231 days ago

    nothing new about it? Have seen this like a year or more ago already

  2. Mattis · 1231 days ago

    There is a solution for that problem. Two free services from opendns.com - use their dns servers instead of the one given by your ISP and encrypt all DNS queries with their DNSCrypt.

  3. Damian Menscher · 1231 days ago

    You raise the concern that malware authors could mimic the Google warning. We thought about that too, which is why the warning only appears on a trusted page, and is positioned above the search results. It appears this was sufficient -- you raised the same concern last year, and I am unaware of any malware that imitated that warning.

    • Hi Damian

      Thanks for taking the time to comment - and thanks also for the great work Google is doing in helping with this problem.

      I'm not trying to suggest that the risk of cybercriminals mimicking the Google alert is a significant one. But it does exist.

      We have, for instance, seen a spate of attacks recently where the bad guys have injected their code (for instance, adverts) into webpages shown by users' browsers - and it is conceivable that this could happen again.

      I don't mean to suggest that Google shouldn't be warning users about the risk of not fixing their DNS settings. I agree that's important.

      But as many users will be unfamiliar with what the Google alert looks like, and where it might direct them to, they should at least be warned to be cautious - and be *sure* it's a Google alert that they are reading rather than something else.


  4. DjFIL · 1231 days ago

    What's the point of Google doing this? Isn't the point of DNS Changer to redirect people to fake Google hosts? So the infected people wouldn't see the real Google and it's warning anyway.

    • The FBI took over the rogue DNS servers, meaning that they are no longer up to mischief.

      But the FBI can't keep them running indefinitely for the benefit of those affected users who are pointing to them.

      So there is a point in Google adding to the other advisories and warnings that have been issued for these users.

  5. chipbuster · 1231 days ago

    Oh boy.

    Props to Google for trying to help out here, but is giving people an unsolicited message that says "Your computer is infected. Click here to fix the problem." really the best way to go about this? I mean, yes, we fix the problem now, but this is the exact same pattern that scareware manufacturers use.

  6. Freida Gray · 1231 days ago

    The Google ad does look like scareware to me & I would tend to ignore such warnings that looked like scareware. Since a lot of others would tend to do the same, Google may have wasted their time by putting up an ad that does nothing.

  7. eddie · 1230 days ago

    i keep seeing this message on my ipod touch how can i get rid of this malware

    • Veritas · 1230 days ago

      If it's on your Ipod Touch I would check the DNS settings in the router that your Ipod is using.

  8. Sharp · 1230 days ago

    I don't know why this seems to be such a mess. Just close them down, instead of waiting. Then the people who are infected will know instantly something is wrong and fix it instead of being in the dark because they dont care about their data, or PCs. Why waste more time and money on nothing?

    Personally I checked this for the grammer error from the email (google is warns), but if google is able to access this easily from your browser, then what makes you think others are not doing the same thing.

  9. android man · 1230 days ago

    i open my google malaysia they not warn anything

  10. a.nony.mous · 1228 days ago

    Why should the victims of this exploit have to visit a special web site to determine if they are infected, when the FBI's proxy has an inherent capacity for {automatic} notification to every infected client whenever they access ANY web page? This just looks like a last-minute attempt to establish plausible deniability for an illegal spying operation before the court requires them to shut it down. It does not make any sense to run this proxy in transparent (stealth) mode unless the goal is to spy on the users. It's common knowledge that the FBI wants to spy on everyone all of the time, and does so routinely, without regard for due process. How could they resist playing with a massive surveillance system that was practically dropped into their lap?

    I don't believe the FBI is motivated by altruism here... and I don't think any sensible person would trust that their internet accounts are safe in the hands of a US government agency. So I have to disagree with the assertion that these servers have been "made harmless". There is no proof, or even a respectable probability. For all you know, your readers bank passwords could be in the hands of some grasping revenue officer by now--or a rogue agent. Just look at how many TSA employees have been caught stealing from travelers luggage!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley