July 9th 2012 – DNS Changer D-Day, Are You Safe ?

Are you at risk from DNS Changer? You better find out soon. As of July 9th, if you are infected, you could lose your Internet access.

The DNS Changer malware first began infecting PCs around the world at the end of 2011. DNS Changer does what its name implies; the malware changes the DNS settings on a user’s PC. DNS is the critical Internet technology that matches a domain name (i.e., example.com) with the IP address location of the actual server. When DNS information is changed, a user can be taken to a different location than they want to go to.

The command and control infrastructure for DNS Changer was taken down in an FBI operation back in November of 2011. Since then, a court order has enabled the Internet Systems Consortium (ISC) to operate replacement DNS servers for the network that had been controlling DNS Changer. That court order expires on July 9th, at which point all those infected will have some serious problems.

“On July 9th the court order expires and ISC will turn the servers off and users that have their DNS pointing to DNS Changer addresses will no longer be able to get a DNS reply,” Vikram Thakur, principal research manager at Symantec Security Response, told eSecurityPlanet. “At that point they will not be able to resolve any web address, whether it’s Google.com, Facebook.com or Symantec.com.”

While the DNS Changer malware has been known for some time, there are still potentially hundreds of thousands of Internet users that will be at risk come July 9th. Internet security company IID (Internet Identity) has reported that at least 60 companies on the Fortune 500 list are currently infected with DNS Changer. While that number might seem large, it is a significant improvement over the 50 percent, or 250 Fortune 500 companies that IID suspects were infected with DNS Changer in January of this year. U.S Government agencies also were heavily infected at the beginning of the year with 49 percent of them at risk in January. As of June, IID reports that only 4 percent of U.S. government agencies are still infected with DNS Changer.

“I think there will be outages,” Thakur said. “But I don’t think it will happen all at the same time since most of the people that are affected and have not yet cleaned up , they are just generally slow to react to technical issues and some of them might not be using their machines everyday.”

Thakur added that in his view, neither July 9th or July 10th will be a day on which hundreds of thousands of people around the world call into their internet providers and help desks. In his view, it’s a situation that will be spread out over a week or so, as those affected begin to realize that something is wrong. Thakur noted that it is definitely possible for an average home user to fix the rogue DNS entries that DNS Changer has made. The problem isn’t however just about DNS Changer itself though, it’s about the other things that are likely going on, with machines infected with DNS Changer.

“These machines were infected with some kind of malware, that made DNS changes in addition to everything else it might have been doing including downloading more malware,” Thakur said. “Cleaning DNS is one part of the cleanup, the other part is cleaning up the actual infections and all the malware that could be on a machine.”

He added that depending on the malware, clean up could range from basic to very difficult scenarios.

The Big Fix?

With DNS Changer, there is potentially a big fix that can help users out. Until July 9th, ISC will be hosting the rogue DNS command and control, which is what is enabling the infected users to stay connected. Internet Service Providers (ISPs)around the globe have been taking proactive measures to help inform users of the risk of DNS Changer.

Some ISPs also have information that identifies the infected PCs are on their networks. So what they have done is put internal DNS routing within their own networks that re-routes traffic that comes from the DNS Changer infected machines.

“What that does is it makes users on those networks immune to the blackout that might occur on July 9th,” Thakur said.

Letting a blackout occur however, is not necessarily a bad thing. It’s a form of ‘tough love’ that might inspire infected users to actually clean and fix their machines. According to Thakur, there are some computers that just never get cleaned up.

“Take for example Conficker, the number of infected users is still in the millions, how do we fix those machine? There really is no silver bullet answer,” Thakur said. “Even in the case of DNS Changer there could be as many as 300,000 infected machines and I don’t think that number will come down in the next three months, unless the black outs happen and users are forced to take action.”

Are You Infected?

Determining if your PC has been infected with DNS Changer is easily done. The DNS Changer Working Group (DCWG) points to a number of resources. One of them is the http://www.dns-ok.us site, where all you need to do is simply visit the site to determine if you are at risk.

Protection against infections and risks like DNS Changer can be achieved by running up to date antivirus software. According to Thakur, fully updated end points running his company’s tools were not at risk from DNS Changer.

Additionally, users can choose to use a different DNS provider. Google offers a free public DNS service andOpenDNS also offers a free service as well.