Important information regarding DNSChanger malware – SSO-AL2012-010

21 March 2012

Software and platform affected

Windows (all versions)
Mac OS X (all versions)

What is the problem?

Malware which alters a computer’s DNS (Domain Name System) settings, known as “DNSChanger” malware, has been in circulation for some time. DNS is an Internet service which translates user-friendly domain names (e.g. ssoalertservice.net.au) into the numerical Internet Protocol (IP) addresses (e.g. 203.15.34.230) which are used by computers to communicate with each other. By infecting a victim’s computer with this type of malware, criminals are able to alter the DNS settings on a user’s computer. By controlling the DNS settings on victim’s computer, criminals force the infected computers to communicate with “bad” or “rogue” DNS servers, rather than legitimate “good” DNS servers. The criminals can then use these “bad” or “rogue” DNS servers to redirect the unsuspecting users to fraudulent websites or interfere with a user’s web browsing. For example, if a user’s computer is infected with the DNSChanger malware, a! nd the user enters “google.com” in their web browser, rather than take the user to the legitimate “google.com” website, they would be taken to a fraudulent website instead.

In November 2011, the FBI uncovered a network of rogue DNS servers and took steps to disable them. However, by disabling the rogue DNS network, victims who are infected by the DNSChanger malware could lose access to DNS services entirely. To address this issue, the FBI developed a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims for a temporary period. As of July 9th 2012 the FBI will no longer be operating this service; computers that are infected with the DNSChanger malware could lose access to DNS services, preventing access to the Internet, including access to legitimate websites.

What we recommend you do

The Australian Government has created a diagnostic website which will, in most cases, confirm whether or not a user’s computer is infected with DNSChanger malware: Australian Government DNSChanger Diagnostic

The FBI has provided a PDF document with detailed instructions (including screenshots) to manually check the DNS settings on both Windows and Mac OS X based computers: FBI DNSChanger Malware Document

As a minimum step, we recommend that you click on the Australian Government’s diagnostic website and see whether it displays a green box with the words, “You do not appear to be affected by DNSChanger”.

Then, if you want to be more certain that this diagnosis is correct, it is also recommended that you follow the detailed instructions in the FBI’s PDF document to help to determine whether your computer is infected with DNSChanger. You should also perform a thorough virus-scan of your computer using an up-to-date virus scanner to ensure that it is not infected with the DNSChanger malware.

If you do find that have been infected with the DNSChanger malware, you should seek professional assistance to ensure that the malware is removed successfully.

Additionally, this factsheet contains instructions to help detect and remove malware:

Factsheet 11, Parts 1-3, You suspect your computer is infected with malicious software – what should I do?

Where you can find more information

The Australian Government has also provided some additional information regarding the DNSChanger Malware here: DNSChanger Information

The FBI has also provided further information regarding internet fraud associated with the DNSChanger Malware here: Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business

 

Disclaimer

This Alert has been prepared by AusCERT for the Department of Broadband, Communications and the Digital Economy.

The information is intended for use by home users and small to medium sized businesses and is general information only and not intended as advice and was accurate and up to date at the time of publishing. The material and information in this Alert is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. In any important matter, you should seek professional advice relevant to your own circumstances.

The Commonwealth, AusCERT, and all other persons associated with this Alert accept no responsibility or liability for information either included or referred to in the Alert. No responsibility or liability is accepted for any damage, loss or expense incurred as a result of the information contained in the Alert, whether by way of negligence or otherwise.

The listing of a person or organisation in any part of this site or Alert does not imply any form of endorsement by the Commonwealth of the products or services provided by that person or organisation. Similarly, links to other web sites have been inserted for your convenience and do not constitute endorsement of material at those sites, or any associated organisation, product or service.

Please note that material in this Alert, as the case may be, includes views or recommendations of third parties, which do not necessarily reflect the views of the Commonwealth, or indicate its commitment to particular course of action. Material on this site or in this Alert may also include information provided by third parties. The Commonwealth cannot verify the accuracy of information that has been provided by third parties.