Sunday, July 8, 2012

DNS Shutdown

If you’ve seen the news, or been on the internet at all lately, you probably know that the government is shutting down a bunch of servers tomorrow, and you may not be able to access the internet.  Here’s why:

On July 9, the FBI will close down a network of DNS servers that many people have been depending on for proper Internet access. These servers were originally a part of a scam where a crime ring of Estonian nationals developed and distributed a malware package called DNSChanger, but which the FBI seized and converted to a legitimate DNS service.

This malware scam has been widespread enough that even third-party companies like Google and Facebook and a number of ISPs like Comcast, COX, Verizon, and AT&T have joined in the effort to help remove it by issuing automatic notifications to users that their systems are configured with the rogue DNS network.

If you haven’t received such a notification, but you’re not sure whether your equipment  might be infected, go to  http://dns-ok.us/.  If you get a screen that looks like this, you’re OK

ok

If you see anything else, try running something like MalwareBytes, or any of a dozen other antivirus/anti-malware programs.  The free version should be sufficient.

DNS is the "Domain Name System," which acts like the Internet's phone book and translates human-friendly URLs such as "www.cnet.com" into their respective IP addresses that computers and routers use to establish connections. Since DNS is the interface between the typed URL and the targeted server, the crime ring created its own DNS network that would in large part work normally, but would also allow the ring to arbitrarily redirect the traffic for specific URLs to fake Web sites for the purposes of stealing personal information or getting people to click on ads.

Setting up the rogue DNS network itself isn't enough, since this network needs to be specified in a computer's settings in order to be used. To make this happen, the crime ring created the DNSChanger malware (also referred to as RSplug, Puper, and Jahlav), which was distributed as a trojan horse and successfully infected millions of PC systems worldwide. Once installed, this malware would continuously change the DNS settings for the affected computer and even for network routers, to point to the crime ring's rogue DNS network. As a result, even if people manually changed their computers' DNS settings, these changes would automatically be reverted by the malware on their systems.

Since millions of PC users had been infected by this malware, once the crime ring was taken down in a November 2011 multilateral sting called Operation Ghost Click, the FBI and other government authorities decided against turning off the rogue DNS network as this would have instantly prevented the infected systems from resolving URLs, and thereby would have effectively shut down the Internet for them. Instead, the DNS network was kept active and converted to a legitimate service while efforts were put in place to notify users of the DNSChanger malware and wait for the number of worldwide infections to fall.

Initially the rogue DNS network was slated for closure in March of this year; however, while the rate of infections fell significantly once the crime ring was broken up, the number of infected computers has remained relatively high, so the FBI extended the deadline to July 9 (this upcoming Monday). Unfortunately, even as this deadline approaches, thousands of PC system worldwide are still infected with the DNSChanger malware, and when the servers are shut down these systems will no longer be able to resolve URLs to IP addresses.

1 comment:

  1. Nice post. I learn something totally new and challenging on sites I stumbleupon on a daily basis.
    It will always be interesting to read through content from other
    writers and use something from other websites.
    Also visit my blog post Action voip freed ownload

    ReplyDelete