July 9, 2012

DNS Changer Virus: A Bust?

John Neumann for redOrbit.com - Your Universe Online

A computer virus named DNS Changer was run by an Estonian crime ring until last November when authorities and the FBI shut it down. The virus, first used in 2007, hijacked users´ computers without their knowledge to generate fraudulent clicks on adverts.

Although its only obvious effects were to slightly slow internet connections and to disable antivirus software, it also redirected computers to the fraudsters´ servers, reports Matt Warman, Consumer Technology Editor for The Telegraph.

The hackers racked up more than $14 million by hijacking web searches and forcing victims to see certain banner ads and advertising. They managed to do this because their servers were taking over a key web function known as domain name look-up.

Domain names are the words humans use for websites, Google.com, Facebook.com, etc. Computers, however, use a numerical code that computers use for consulting domain name servers (DNS), BBC News reports.

When a person types a name into a browser address bar, often their computer will consult a DNS server to find out where that website resides online. The gang infected computers with malware called DNS Changer because it altered where a PC went to convert domain names to numbers.

If the FBI had turned off that server immediately, thousands of computer users would have been left without any web access, so the FBI temporarily replaced it with a site to check whether visiting computers had the virus. The “DNS Checker Page” allows users to detect and remove the virus, and has largely eliminated the malware, but not entirely.

The FBI announced earlier in the year that on July 9 it would pull the plug on the server, potentially leaving the 350,000 computers primarily in the US and western Europe without access to the web. As of this morning the FBI has followed through and turned off the server because it was costing tens of thousands of dollars to operate each month.

As of this morning, it appears that many have either cleaned up their computers of the malware, or infected computers are no longer in use.

“It might take some time for the problems to become apparent,” said Sean Sullivan, a security researcher at F-Secure. “Initially some domains will be cached which will mean web access will be spotty. People will be confused about why some things work and some do not.”

Other security experts said it might take time for the remaining infected machines to be cleaned up. “Reaching victims is a very hard problem, and something we have had issues with for years,” said Johannes Ullrich, a researcher with the SANS security institute.

He expected the impact to be “minimal” because many of these systems were no longer used or maintained.