On Monday around 300,000 internet users will be cut off from the internet as servers that the DNSChanger botnet are disconnected.
This story is already causing some concern on social networks and in the news, and I thought it was appropriate to address this issue and hopefully give some clarity on the scope of the issue.
The story effectively ‘began' last November when the FBI began ‘Operation Ghost Click' that brought down the DNSChanger botnet. It was given that name due to the way that attackers changed domain name server (DNS) settings. Infected users were directed to rogue pages or prevented from visiting certain websites.
The owners were arrested and since then, the servers for DNSChanger have been under the control of the FBI, but as I learned from this very interesting Sophos video, it has been funded by US taxpayers ever since. Therefore, the FBI's ownership of the servers expires on Monday 9th July and according to the DNSChanger working group (DCWG), the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network that will allow affected networks time to identify infected hosts.
However after this date, infected computers will not be able to use the web as they are effectively cut off due to their IP addresses being identified as being compromised.
According to security firm IID, as infected computers and routers will have no servers directing their DNS requests after Monday, the internet may literally go dark for people using those computers or routers.
Luis Corrons, technical director of PandaLabs, told SC Magazine that come Monday, all of the users with computers/routers which have been configured by the malware will not be able to get to any website unless they type the IP address in the address field of their browsers
“When we are surfing the internet, our computer has to ask a DNS the real address of the website we have typed, which for humans is much more convenient to remember www.scmagazineuk.com than the IP address (which at the end of the day is what we should type in order to avoid using these DNS),” he said.
“Technically their internet connection will be working, but for them it is like the connection is down. What makes this even worse is that a number of those users are not infected anymore, the malware was removed long time ago but the configuration is the one modified by the malware.”
As for the size of the botnet, statistics from DCWG state the botnet as being over 500,000 computers at one point and as of June 11th, there were around 300,000+ unique IP addresses that were connected to the DNS servers. DCWG also said that there are 19,589 infected users in the UK, and 69,517 in the US.
According to IID's ActiveKnowledge Signals system and other data, at least 58 Fortune 500 companies and two 55 major government entities have at least one computer or router that has been infected.
Speaking to SC Magazine, James Lyne, director of technology strategy at Sophos, said that the interesting thing about this it is cross-platform, affecting all desktop users and some mobile users also.
He said: “It changes settings for a redirect and pushing users to a site to download malware from. You can see how this will hit mobile devices as there are ways of configuring DNS for the iPhone.
“What is also interesting is this shows how important DNS is, DNSChanger is not opening or downloading things, it is intercepting and redirecting users and this is a common thing that hackers will use.”
So that was the threat and the botnet, but with only a weekend ahead of potential darkness on the 9th July, is it a case of picking up the pitchforks and panicking on the streets of Dublin, Dundee, Humberside?
If you are infected, again there is no need to panic. You (or an ISP) can manually change your DNS settings and once corrected, you are back in the room. There is a useful FBI guide here, issued in the wake of the Ghost Click operation. The DCWG also offers tools to help you clean your computer up.
If you wish, you can also manually check the DNS settings for the IP address used by DNSChanger and if it is one of these, time to change it:
220.127.116.11 – 18.104.22.168
22.214.171.124 – 126.96.36.199
188.8.131.52 – 184.108.40.206
220.127.116.11 – 18.104.22.168
22.214.171.124 – 126.96.36.199
188.8.131.52 – 184.108.40.206
Dan Brown, director of security research at Bit9, said: “Consumers and corporations that follow good security hygiene aren't affected by this malware. Corporations should make sure that their IT departments are aware of this threat and take appropriate actions for their environments.
“In addition, corporations should also consider the use of application control technology which often succeeds where traditional anti-virus fails in preventing novel malware such as DNS Changer.”
Lyne said to me that this impact is not like the Conficker worm of 2008, and this was simply a case of reconfiguring settings to get over the problem.
The fear of being without internet is probably a major one for many people, I personally would not be able to work, you would not be able to read this and the various systems around the world that rely so heavy on the internet would have a major issue.
This is easily solved, so let's just hope that we don't arrive on Monday to find the lights out.