Update on the DNS Changer malware
Posted on: 07/09/2012 04:48 PM
[
Comments
]
Early Monday morning, as previously announced, the FBI turned off the DNS server which has been handling the requests from machines that were compromised by DNSChanger. Around 13,800 users with unique UK IP addresses have been accessing the server, according to an anonymously published excerpt from the logfiles that suggests the information is accurate up to last Saturday. On that day there were still requests coming from some 250,000 different IP addresses in total.
It can be assumed that little has changed since the numbers were gathered. The first six months since the defeat of the DNSChanger botnets saw around a third of the originally affected systems being disinfected. In Germany, users were warned by their internet providers that they were infected, while globally, Google has been displaying a warning to users they detected as being infected.
If a user finds that they have apparently been suddenly disconnected from the internet, then the easiest way to recover is to set the affected system to use Google's DNS service on 8.8.8.8. DNSChanger was able, according to F-Secure, to modify DNS settings on Windows and Mac OS X computers and on D-Link, LinkSys, A-Link, Netgear, ASUS and SMC routers.
The DNSChanger trojan operated until the end of 2011, manipulating the victims' DNS settings and making the victim's systems send their DNS requests to the scammer's DNS servers. The malicious DNS server would then redirect the victims to fake sites with the aim of either stealing personal information, getting the users to click on ads or selling bogus anti-virus software. When the FBI closed down the scam network in Operation Ghost Click, they left in place a DNS server which would give correct answers to DNS queries. It is that server that was shut down today.
It can be assumed that little has changed since the numbers were gathered. The first six months since the defeat of the DNSChanger botnets saw around a third of the originally affected systems being disinfected. In Germany, users were warned by their internet providers that they were infected, while globally, Google has been displaying a warning to users they detected as being infected.
If a user finds that they have apparently been suddenly disconnected from the internet, then the easiest way to recover is to set the affected system to use Google's DNS service on 8.8.8.8. DNSChanger was able, according to F-Secure, to modify DNS settings on Windows and Mac OS X computers and on D-Link, LinkSys, A-Link, Netgear, ASUS and SMC routers.
The DNSChanger trojan operated until the end of 2011, manipulating the victims' DNS settings and making the victim's systems send their DNS requests to the scammer's DNS servers. The malicious DNS server would then redirect the victims to fake sites with the aim of either stealing personal information, getting the users to click on ads or selling bogus anti-virus software. When the FBI closed down the scam network in Operation Ghost Click, they left in place a DNS server which would give correct answers to DNS queries. It is that server that was shut down today.
Comments
