The DNSChanger Danger

On November 9, 2011 the FBI and Estonian authorities conspired to bring down a ring of computer hackers and as a result thousands of people will lose their Internet connections on Monday, July 9th. While on the surface this statement makes no sense at all, I assure you that it's true. A Trojan that was distributed by a company called Rove Digital from 2007 to 2011 is interfering with infected systems and affecting how they connect to the Internet. This is going to come to a head on Monday, July 9th with all infected systems effectively being cut off from Internet access. The FBI and various non-profit organizations have been doing all that they can to let people know if they've been infected, but they estimate that around 500,000 computers in the U.S. are still infected.

In 2007 an Estonian company called Rove Digital started distributing a Trojan called DNSChanger. This was accomplished by what is known as “drive-by downloading”. Victims would visit websites and get a message saying that a video codec was needed to view content on that site. Hidden within the video codec was a seperate program that would infect the victim's computer. This is called a Trojan after the fabled Trojan Horse because it operates in much the same way. You appear to be getting a free gift, not knowing that disaster hides inside. The Trojan installed itself into the system, then attempted to infect other systems on the same network.

Once DNSChanger was installed it did exactly what it sounds like it would do, it changed the system's DNS configurations. DNS, or Domain Name System, is the Internet equivalent to a phone book. Every website has an address, as you probably know. What you may not know is that a web address has no letters in it, it is just a string of numbers. The address for UCC's website for example is 64.198.7.101. If you type this number into a browser you will reach UCC's website. This number is not exactly easy to remember however, so a system was devised that allowed for easily remembered web addresses. How this works is that there are servers all over the world that act as large directories. You type in an address that you can remember, such as www.uccwi.com. This request is sent to a DNS server, which looks up uccwi.com and finds that it's address is 64.198.7.101 and sends you there. It's no different than looking up UCC in a Yellow Pages and finding our phone number so that you know how to reach us by telephone.

Rove Digital set up their own DNS server and created DNSChanger to force victims to use only their servers. This allowed them to inject addresses of their choosing in place of the addresses that people were actually looking for. For example, somebody trying to look up the IRS website might instead be taken to a website of a tax preparation company. This tax preparation company would be one that had signed up for an advertising program in which it would pay to post it's advertisements on other websites. Every time an advertisement got clicked on, the hosting website would be paid a small fee. Rove Digital was taking advantage of these programs with it's servers by appearing to be a website that was referring people to advertisers. The tax preparation company would have no idea that people had been duped into visiting their site. Though the fee for a referral is very small, usually fractions of a penny, the numbers quickly add up. DNSChanger infected over 4 million computers and as a result Rove Digital profited at least 14 million dollars from advertisement referral fees.

After four years of profiting from this scam, the FBI finally caught up with Rove Digital. However, when they seized the rogue servers they realized that since the infected systems were programmed to only use Rove Digital's DNS services they had a problem. If they simply took the servers offline then all 4 million infected systems would immediately lose Internet connectivity. This included systems at over half of Fortune 500 companies as well as over half of U.S. Government agencies. Instead of crippling the world's ability to connect to the Internet, the FBI decided to bring in their own servers and put them up in place of the Rove Digital servers. Like Indiana Jones swiping an idol for a bag of sand, the switch happened so fast that nobody noticed the change. Now they had a new problem. The FBI is simply not set up to be a DNS host, and they have no desire to be. They set up a system of non-profit organizations that were designed to run the servers until people could have ample time to repair their systems. The FBI and these organizations have done all they could to make people aware of the situation, however at last count there were still more than 500,000 systems in the U.S. alone that were infected and the cut off date for these servers is Monday, July 9th.

This is your last warning. If you haven't yet checked your system to find out if you've been infected visit http://www.dns-ok.us/ . This site has been set up to check systems to detect whether or not they are being redirected through the FBI servers by DNSChanger. If the picture comes up with a green background you're clean. If you get a red background you're infected. Removal is very tricky, and no tools are 100% guaranteed. The FBI is recommending that infected systems have their data backed up and the Operating System reinstalled.  Any systems that have not been disinfected by Monday, July 9th will find themselves unable to connect to the Internet.