Categories: SecurityWorkspace

DNSChanger Doomsday Threatens To Take 300,000 Off The Web

The FBI has today switched off the servers used by the DNSChanger malware gang, meaning hundreds of thousands may be forced off of the Web.

Those still infected will be unable to use their browsers normally, as they will not be running through DNS servers that translate a typical URL (e.g. techweekeurope.co.uk) into the IP address of a website’s servers. Instead, they will be connecting through servers set up by the gang to enable a money-making fraud, which the FBI has had to keep running or else users will be left high and dry.

The FBI said around 64,000 Americans were in danger, whilst the last count from the DNSChanger Working Group (DCWG) showed 19,589 British systems were infected with the malware. That made Britain the fourth most infected nation behind Italy in second and India in third.

Yet a Pastebin release, tweeted by F-Secure’s Mikko Hypponen, claimed there were only around 5000 British systems infected, compared to 47,000 in the US.

Overall, there are believed to be between 250,000 and 300,000 machines still infected with the malware, but it is unknown how important those systems are.

“We’ve been using the last eight months to go out and clean up the infected computers, but we don’t have everybody,” said supervisory special agent Thomas Grasso of the FBI’s Cyber Division. Grasso said he hoped that people “follow our recommendations to: one, determine if they’re affected by this; and then two, fix the problem.”

Get protected

For those concerned, head to this FBI blog post, which contains links to all the resources users need to stay online. A number of anti-virus firms have released free software to help too, including Intel-owned McAfee and Russian firm Kaspersky.

Some have warned that the panic surrounding DNSChanger could play into scammers’ hands too. “We may also see malware, spam, or scam campaigns associated with news about the DNSChanger malware,” Websense said in a blog post. “As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSChanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.”

Users have been given plenty of warning since November, at the end of a successful operation that saw the FBI and its international partners charge six individuals with conducting a sophisticated click-fraud scheme using DNSChanger. The operators were thought to have pocketed at least $14 million until they were caught.

The DNSChanger malware was running on many thousands of systems, which could only connect to the Internet using the crokks’ servers, so the  FBI was compelled to keep the DNSChanger servers running. The Bureau has since delayed the cut-off date from March to July over fears that businesses would be left without normal Internet access.

Are you a security boff? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • The DNSChanger still affects over quarter of a million systems, which will be shut down today. For organisations wanting to ensure that their systems are not affected by the DNSChanger server shut down, businesses should utilise their IT management system to build a group containing the potentially rogue DNS Servers and add an alert for DNS traffic to the group. If the servers are infected with DNSChanger, you can run a report for all infected devices. Systems such as WhatsUp Gold alert centre will alert organisations to more than 5,000 conversation partners or over 1,000 failed connections for single host, both indicators of malware-type infections. Organisations should take action before it’s too late.

    The list of potentially rogue DNS servers include the following IP addresses.
    –85.255.112.0 – 85.255.127.255
    –67.210.0.0 – 67.210.15.255
    –93.188.160.0 – 93.188.167.255
    –77.67.83.0 – 77.67.83.255
    –213.109.64.0 – 213.109.79.255
    –64.28.176.0 – 64.28.191.255

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

19 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

20 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

20 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

21 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

21 hours ago