Hyderabad: Come March 8, 2012 and for millions around the world Internet will be forcibly shut down! This comes as a consequence of a virus that got so big that it infected millions of computers and is still looming large!

The case goes back to 2007 when six Estonian men got together to create a botnet to spread DNSChanger malware that tapped into fraudulent servers, directing Web users to unintended – and sometimes illegal – sites. As a part of Operation Ghost Click, FBI took control over the botnet’s command and control servers in November, 2011 and replaced the rogue servers with temporary legitimate servers that were allowed to run only for 120 days – a deadline that is fast running out.

The propagation of DNSChanger was no different from that of other malware. The malware authors learned early that by controlling a user’s DNS servers, they could control and interfere with the user’s Internet browsing habits. This was carried out by manipulating online ads through click jacking. The victims were unaware that their PCs had been compromised – or that the malware turned their PCsdefenseless to a swarm of other viruses.

To understand how a DNSChanger works it helps to explore what DNS means and who the stakeholders are. Domain Name System (DNS) is an Internet service that converts domain names into the numerical Internet Protocol (IP) addresses that allow computers to communicate with each other. When you enter a domain name for example, www.india.gov.in in the address bar of your browser, your computer contacts DNS servers to determine the IP address for the website. This IP address is used to locate and connect to that website. DNS servers are operated by your ISPs (Internet Service Providers) and are included in your PC’s network configuration.

DNSChanger belongs to a class of malware that works in one of the two ways described below:

1. Alters the user’s DNS server settings to replace the ISP’s good DNS with rogue DNS servers operated by the criminals.

1. Internet devices like routers or home gateways are the targets. If you have a factory set password that is usually easy to break, then the chances are high that the malware can infect the system or a network by changing the DNS settings inside the router as well.

Additionally what the malware also does is that it prevents your PC from obtaining operating system and anti-malware updates – both crucial for protecting your PC from cyber threats.  This also widens the possibility of more malware attacks.

When FBI made a crack-down on this botnet, approximately 4 million PCs in more than 100 countries had been compromised. The criminals had managed to mint $14 million in illicit fees! The replacement servers provided by the FBI were not supposed to remove the malware or other nefarious viruses that it may have aided – from infected computers. The sole purpose was to ensure that users do not lose DNS services.

Over half of Fortune 500 companies and 27 out of 55 government entities have at least one PC or router still infected with DNSChanger. Translating to about 500,000 live infections! Our malware team has reported over 70 variants to DNSChanger malware andthousands of positive cases in India alone.

Before the panic attack sets in, it is wise to understand the ways in which you can deal with this issue. First, the DNSChanger malware must be removed from the system/s. One should take a back-up of all important data and then remove the malware using good Antivirus software.

After this has been carried out, the DNS settings on all affected devices must be set to their correct values.You can seek assistance from your ISP for accurate DNS settings to be used.

If a network has been affected then the DNS settings all PCs on that LAN should be rectified.There are no sure fixes to the malware. There are several tools available that will allow you to change the DNS Settings but the rogue entries still remain in the router.To restore settings in the router you would have to either consult your product manuals or contact the manufacturer.

Quick Heal has a dedicated page for the DNS issue. In case you want to find out if your PC is affected, please visit http://www.quickheal.com/chkdns/

Answers to some queries based on DNSChanger malware:

Q. What is DNSChanger?

A. DNSChanger is a Trojan Malware which was first discovered in the year 2007. This Trojan has infected millions of computers since then. The modus operandi of this DNSChanger Trojan is to infect your system and once infected it changes the Domain Name Server entries of the computer to point to Rogue DNS. Once the DNS settings are changed in the computer every time the user surfs the internet on the infected PC it will take the user to Rogue DNS where the virus write has control to inject or re-direct your browser to fake, phishing or illegitimate websites.

What is Domain Name System (DNS)?

A. Domain Name System (DNS) is a internet based service that helps resolve the IP address of the website address. So when we type any website address in our browser address space it makes use of this DNS service to find out the IP address of the web server whose web site address you have provided. Once it received the IP address it connects to that server using that IP address. Usually the DNS entries in a computer are configured based on which Internet Service Provider you use to connect to Internet. For example if you are having BSNL Internet connection you will be given DNS entries by BSNL to point to its DNS servers.

What is going to happen on 8^th of March?

A. This DNSChanger Trojan malware which was spreading since 2007 was traced to be a work of cyber criminal gang in Estonia. This gang had hosted their own RogueDNS severs and had been operating these RogueDNS servers to serve the infected users with new malwares, phishing websites. This gang was traced and arrested by FBI in a operation which was conducted in November 2011. FBI took control of the RogueDNS servers and replaced them with clean temporary DNS servers so that the infected users will no more be taken to fake websites. Now since the new DNS servers are under FBI control which they cannot do for a long time as it is illegal and out of their service bounds they were given deadline of 4 months to switch off the temporary DNS servers. The time of 4 months is given by which it is expected that all the infected computers which are in millions across the globe need some time to change to clean the virus from their computers and restore their original DNS entries. This deadline which is 8^th of March is soon approaching and hence it is very important that we reach out to all the infected or affected users to get their system cleaned and restore their DNS entries or else once these servers are shut down all those users who were infected or at any time faced this virus problem will no more be able to connect to Internet.

Q. If I am having latest up to date anti-virus software regularly installed in my system will I still be affected on 8^th of March?

A. All those users who had faced this DNSChanger virus problem will be affected. Even though you may have removed the DNSChanger Trojan using up to date anti-virus still you will be affected on 8^th of March. This is because anti-virus programs only remove the DNSChanger malware if found they do not restore the DNS entries of your system. The reason why AntiVirus systems do not restore the DNS entries is because  DNS entries depend upon which ISP whose Internet service the user is using. Since these entries are different for different ISPs it is not possible for AntiVirus to restore the DNS entries automatically.

Q. How can I come to know if my PC is affected by this virus?

A. Quick Heal Technologies, India’s leading antivirus software has provided a free service where users can visit below link and check if their PC is affected by DNSSserver Trojan Rogue DNS entries.

http://www.quickheal.com/chkdns

Once you check if our PC is having Rogue DNS Entries and if present it will inform you accordingly and will provide you simple steps on how to clean the RogueDNS entries.

Q. Does this malware affect any other platform then Windows like Macs or Mobile phones?

A. DNSChanger Trojan infects only Windows based PCs but however this malware is able to change the DNS entries in your router. If you are using a router and if you have not changed the default (factory set) password of the router this Trojan is able to login to router using the default user name and password and change the DNSEntries to RogueDNS inside your router as well. In this case you will have to restore the DNS entries inside the router as well. If you are using other platform devices like MacBook or Mobile device to connect to Internet using this router you will not be able access the Internet on these devices as well after the 8^th of March.