On July 9th, 2012 systems infected with the DNS Changer virus (DNSChanger) will no longer be able to access the Internet.
Last year the FBI arrested members of a group called “Rove Digital” who had been distributing DNS changing malware since 2007. The malware changes the DNS settings of infected computers to point to Rove’s rogue DNS servers.
These rogue servers returned false information that alter search results and / or directed people to malicious sites. Before being taken down, Rove had defrauded consumers out of tens of millions of dollars.
After the arrests the Internet Systems Consortium (ISC) installed “clean” DNS servers to replace the “rogue” ones. But on July 9th, 2012 these “clean” servers are going to be taken off-line. Any machine that is still infected will lose Internet access on that date.
To understand why Internet access will be lost, one must first understand a little about how DNS works.
What is DNS?
DNS, the Domain Naming System, is like a phonebook for the Internet. Your computer doesn’t really know what www.google.com is. It knows it by its IP address. But IP addresses are long and difficult for people to remember. To make things easier a database is kept that matches domain names with IP addresses. When you type a domain name into your browser (http://www.plentech.com/) your computer asks a DNS server to return the IP address. The DNS server replies and traffic is able to be routed between your computer and the site you want to visit.
Domain Name >> IP Address
www.google.com >> 18.104.22.168
www.microsoft.com >> 22.214.171.124
www.amazon.com >> 126.96.36.199
Good news! – Even if your computer is infected, the rogue DNS servers have been taken down so you are not in danger of being directed to a malicious site.
Will you lose Internet access?
If your computer is infected on July, 9th the answer is YES. Why?
Because DNSChanger tells your computer that all DNS queries are to be answered by their rogue servers. Those servers have been replaced with clean ones, but on July 9th the clean servers are going to be taken off-line. When that happens, your infected machine will no longer be able to get answers to DNS queries because there will be no DNS servers to reply.
When you type in a domain name your computer will tell you it can’t find that site. That means you won't be able to find your online banking website, won't be able to login to your trading account and won't be able to access your email.
Your computer will be on the information super-highway (old school term, I know) but there won’t be any road signs.
What can you do?
Start by visiting the DNS Changer Working Group website (http://www.dcwg.org/) and see if your machine is infected. Their site has a very simple test, available for free, that will let you know in seconds if you are infected. They also have links to more information about this malware and methods of removal and prevention.
If your computer is infected then it needs to be cleaned before July 9th. Because DNSChanger is a rootkit virus a simple scan of your system will likely not be able to clean it. Kapersky Labs offers TDSSKiller, a rootkit removal tool, that is capable of removing DNSChanger.
Also, many ISPs are offering services to remove the virus, so check with your internet provider to see if they can help.
If you need assistance or further information contact your IT department, IT service company or Plenary Technology at 866-753-6279.
David Mitchell is the President of Plenary Technology. His career began with IBM in the 80's as a Field Engineer. In the mid 90's he started work as an independent IT consultant and more recently founded Plenary Technology, an IT Services company that helps small businesses all over New Jersey save money by minimizing downtime.
When not working odds are he can be found in the woods of Sussex County romping around with his dog, Maggie.
He can be reached at 866-753-6279 x201 or via email.