A number of people have emailed me recently with concerns about losing their internet connection this summer when the FBI takes down clean DNS servers temporarily set up to assist the 4 million plus computer users worldwide impacted by malware called DNSChanger. DNS, which stands for Domain Name System, is a critical internet service that resolves host names such as www.google.com to a numerical IP address that computers use to locate a website. Under normal circumstances, your computer connects to your internet service provider’s DNS servers (or some other legitimate public DNS server). When infected with the DNSChanger malware however, your computer is configured to send its DNS queries to rogue DNS servers who can direct your browser to any website they wish. Affected users could be directed to fake versions of legitimate websites, advertisement websites promoting products, or malware sites that will further infect their computer, just to name a few.
Back on November 8, 2011, the FBI, NASA-OIG and Estonian police arrested several cyber criminals involved in deploying this malware after a 2 year investigation called “Operation Ghost Click”. The rogue DNS servers were taken down, and the FBI obtained a court order to authorize the Internet Systems Consortium to install temporary clean DNS servers so that victims of DNSChanger would not lose their internet connection. March 8, 2012 was the date originally set to shutdown these temporary servers, however a Federal Judge has granted an extension and moved the shutdown date to July 9, 2012.
Unfortunately many users of infected systems still have not taken steps necessary to remove the malware and will experience a loss of internet connectivity when the temporary DNS servers are shutdown. What can someone do about this? The first step is to find out whether or not the DNSChanger malware is running on your machine. A simple way to find out is visit the DNS Changer Check-Up website at http://dns-ok.us. This site will check and see if your computer is looking up IP addresses correctly. If you see a green background then you should be OK, however if you see a red background then your computer is infected with DNSChanger. In the event of an infection you can visit the DNSChanger Working Group (DCWG) website for instructions and a list of tools at http://www.dcwg.org/fix/. Or, of course, you can call me and setup and appointment to disinfect your computer.
For further reading check out:
FBI News Release: http://www.fbi.gov/news/stories/2011/november/malware_110911
DNSChanger Working Group (DCWG): http://www.dcwg.org/