The good news is the FBI has already shut the people behind this down and seized their servers, the bad news is when the FBI shuts down the seized servers you may lose your Internet connect, or worst – be infected if the FBI missed any servers.
Over 450,000 computers – including half of the Fortune 500 companies and over 50% of government entities – are still infected with the DNSChanger malware. DNSChanger is a Trojan horse that changes the DNS settings on computers and routers to send users to malicious sites, which then steal personal information and generate illegal ad revenue for the scammers. In November 2011, the FBI took over the botnet’s rogue servers and replaced them; however, on March 8th the FBI will be shutting down the servers they put up in replacement of the rogue ones.
Today we are going to discuss DNSChanger Trojan, its impact on Internet users and the biggest challenge for FBI to resolve it, and how a user can check and restore their computer. Hopefully you will share this article with your friends, family and followers.
First let’s examine what DNS (Domain Name System) is? DNS is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. You can think of it like a phone book. DNS cross references user-friendly names. When you enter a domain name, such as http://www.ravenit.com, in your web browser address bar, your computer contacts a DNS server to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment without them, you would not be able to access websites, send e-mail, or use any other Internet services.
What is DNSChanger? It is a small file about 1.5 kilobytes, DNSChanger is a trojan horse that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. This Trojan horse is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan.
The DNSChanger malware was first discovered around 2007, and since this time has infected millions of computers, around 500,000 of them being in the U.S., and through these computers the criminals have reportedly pulled in around $14 million in stolen funds. The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it.The FBI is also undertaking an effort to identify and notify victims who have been impacted by the DNSChanger malware.
Both Windows and MacOS as well as smartphones users are at risk for this infection because it exploits your browser, not your operating system.Here are some known hostile IP address pairs used by the DNS Changer malware:
22.214.171.124 – 126.96.36.199
188.8.131.52 – 184.108.40.206
220.127.116.11 – 18.104.22.168
22.214.171.124 – 126.96.36.199
188.8.131.52 – 184.108.40.206
220.127.116.11 – 18.104.22.168
Check your IP settings to verify that your DNS settings are not within the above ranges. If they are, contact your ISP to figure out what your current DNS setting should be and change them immediately. As mentioned above, the FBI plans to shut down the above mentioned DNS server and if your computer uses one of the above DNS IP address – you will not have access to the Internet.
After the take down of the DNSChange Botnet, in November 2011, the FBI obtained a court order allowing the FBI to set up a temporary DNSChanger Command & Control network. The court order expires on March 8th, 2012. Unless the FBI obtains a new court order allowing them to continue operating the temporary network, the network will be turned off. Resulting in millions of computers, world-wide, no longer being able to access the Internet.
According to FBI, It is quite possible that computers infected with this malware may also be infected with other malware. The establishment of these clean DNS servers does not guarantee that the computers are safe from other malware. The main intent is to ensure users do not lose DNS service.
How to check manually that your System is Infected or Not ? The best way to determine if your computer has been affected by DNSChanger is to have them evaluated by a computer professional. If not you can use this IP Tool:
Enter your DNS IP address in the “Reverse DNS Lookup” mid-way down the page in the left column and click go. Your result should be a known domain, like your ISP.