Update: A US Federal Court extended the deadline for shutting down the replacement DNS servers to July 9, 2012.
On Wednesday, the German Federal Office for Information Security (BSI) published a press release advising users to recheck DNS server settings on their computers. This recommendation is related to the successful botnet takedown – dubbed ‘Operation Ghost Click’ – led by the FBI during November 2011.
The bad guys behind this botnet had infested approximately 4 million computers in more than 100 countries with malware called DNSChanger. This Trojan horse allowed them – among other things – to redirect requests of unsuspecting users to malicious or illegal destinations by altering their connection settings, namely the address of the DNS server. More detailed information on this scam can be found in a post by Stephen Cobb.
Now, what’s all the fuzz about after more than 9 weeks, you might be wondering? Well, if you happen to be one of the ‘brave ones’ running their systems without any anti-malware protection, or if that protection hasn’t been – for whatever reason – triggered by this malicious code, your computer might still be infected. No need to panic – all the malicious DNS servers were replaced with correctly-operating systems during the takedown.
Having said that there are two good reasons to check your system anyway. The first and pretty obvious reason is that you don’t want any unwanted process running on your computer without your consent, right? The second is that if your PC is still infected you won’t be able to surf the Internet after 8th March 2012. How come? Those replacement DNS servers will be shut down on that day; it’s as simple as that.
There are more ways how to check whether your PC had been affected or not. For example, you can do so manually using a form on the official web of the FBI or by visiting one of the following sites, designed with support from the BSI – www.dns-ok.de (in German) or http://www.dns-changer.eu/en/check.html (also available in English). Also, information on how to proceed in order to clean an infected system is provided on these sites.
I think it’s worth the time, just to be sure. And even if you have dodged the bullet you might still know someone who would find this information useful.
Peter Stancik
Security Evangelist