Sophos Cloud Optix
Google reckons that up to 500,000 internet users, whose computers were impacted by the DNS Changer malware, will see the following message in the next week alone:
Your computer appears to be infected
We believe that your computer is infected with malicious software. If you don't take action, you might not be able to connect to the internet in future.
Learn how to remove this software.
Let’s backtrack a little and explain why this is happening.
Until November last year, a group of cybercriminals were using a bunch of rogue DNS servers to redirect PCs infected with a family of malware called DNS Changer to webpages and adverts that helped them make money.
The FBI seized control of the servers, and made them harmless. But hundreds of thousands of affected computers continue to use them. As we’ve described before, the FBI is going to shut down the servers on July 9th – meaning that those computers, if their owners do nothing about it, could lose access to the internet.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
The best solution is for those affected to fix the DNS settings on their computers, but a method has to be found to inform those internet users who are impacted. And that’s why Google is joining the awareness campaign.
I think we should applaud Google for what’s it doing, as anything which warns computer users about genuine security issues has to be a good thing.
But, sadly and inevitably, there is clearly the potential for cybercriminals to mimic the Google warning and direct users to dangerous downloads and scams.
The danger is that many people may know what their own anti-virus software looks like when it displays a warning, but may be less familiar with how the Google warning presents itself, and where it links to.
I hope we won’t see any cybercriminals try to take advantage of Google’s initiative in the hope of lining their own pockets.
Sophos products detect various variants of the DNS Changer malware under names such as Troj/DNSChan-A.
Furthermore, Sophos products can detect if your computer is one of the ones whose DNS settings have been meddled with – identifying them as CXmal/DNSCha-A, and help repair the damage.
And, if you want to be proactive and see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).
The FBI also has a look-up form on its own site.
nothing new about it? Have seen this like a year or more ago already
What's new is that they are now doing it for DNS Changer malware.
You're right to say that they have been doing it for a small number of other security threats, with a somewhat different message. See our report from last year here: http://nakedsecurity.sophos.com/2011/07/21/google…
There is a solution for that problem. Two free services from opendns.com – use their dns servers instead of the one given by your ISP and encrypt all DNS queries with their DNSCrypt.
You raise the concern that malware authors could mimic the Google warning. We thought about that too, which is why the warning only appears on a trusted page, and is positioned above the search results. It appears this was sufficient — you raised the same concern last year, and I am unaware of any malware that imitated that warning.
Hi Damian
Thanks for taking the time to comment – and thanks also for the great work Google is doing in helping with this problem.
I’m not trying to suggest that the risk of cybercriminals mimicking the Google alert is a significant one. But it does exist.
We have, for instance, seen a spate of attacks recently where the bad guys have injected their code (for instance, adverts) into webpages shown by users’ browsers – and it is conceivable that this could happen again.
I don’t mean to suggest that Google shouldn’t be warning users about the risk of not fixing their DNS settings. I agree that’s important.
But as many users will be unfamiliar with what the Google alert looks like, and where it might direct them to, they should at least be warned to be cautious – and be *sure* it’s a Google alert that they are reading rather than something else.
Cheers
What's the point of Google doing this? Isn't the point of DNS Changer to redirect people to fake Google hosts? So the infected people wouldn't see the real Google and it's warning anyway.
The FBI took over the rogue DNS servers, meaning that they are no longer up to mischief.
But the FBI can’t keep them running indefinitely for the benefit of those affected users who are pointing to them.
So there is a point in Google adding to the other advisories and warnings that have been issued for these users.
Oh boy.
Props to Google for trying to help out here, but is giving people an unsolicited message that says "Your computer is infected. Click here to fix the problem." really the best way to go about this? I mean, yes, we fix the problem now, but this is the exact same pattern that scareware manufacturers use.
The Google ad does look like scareware to me & I would tend to ignore such warnings that looked like scareware. Since a lot of others would tend to do the same, Google may have wasted their time by putting up an ad that does nothing.
i keep seeing this message on my ipod touch how can i get rid of this malware
If it's on your Ipod Touch I would check the DNS settings in the router that your Ipod is using.
I don't know why this seems to be such a mess. Just close them down, instead of waiting. Then the people who are infected will know instantly something is wrong and fix it instead of being in the dark because they dont care about their data, or PCs. Why waste more time and money on nothing?
Personally I checked this for the grammer error from the email (google is warns), but if google is able to access this easily from your browser, then what makes you think others are not doing the same thing.
i open my google malaysia they not warn anything
Why should the victims of this exploit have to visit a special web site to determine if they are infected, when the FBI’s proxy has an inherent capacity for {automatic} notification to every infected client whenever they access ANY web page? This just looks like a last-minute attempt to establish plausible deniability for an illegal spying operation before the court requires them to shut it down. It does not make any sense to run this proxy in transparent (stealth) mode unless the goal is to spy on the users. It’s common knowledge that the FBI wants to spy on everyone all of the time, and does so routinely, without regard for due process. How could they resist playing with a massive surveillance system that was practically dropped into their lap?
I don’t believe the FBI is motivated by altruism here… and I don’t think any sensible person would trust that their internet accounts are safe in the hands of a US government agency. So I have to disagree with the assertion that these servers have been “made harmless”. There is no proof, or even a respectable probability. For all you know, your readers bank passwords could be in the hands of some grasping revenue officer by now–or a rogue agent. Just look at how many TSA employees have been caught stealing from travelers luggage!