The FBI has today switched off the servers used by the DNSChanger malware gang, meaning hundreds of thousands may be forced off of the Web.
Those still infected will be unable to use their browsers normally, as they will not be running through DNS servers that translate a typical URL (e.g. techweekeurope.co.uk) into the IP address of a website’s servers. Instead, they will be connecting through servers set up by the gang to enable a money-making fraud, which the FBI has had to keep running or else users will be left high and dry.
The FBI said around 64,000 Americans were in danger, whilst the last count from the DNSChanger Working Group (DCWG) showed 19,589 British systems were infected with the malware. That made Britain the fourth most infected nation behind Italy in second and India in third.
Yet a Pastebin release, tweeted by F-Secure’s Mikko Hypponen, claimed there were only around 5000 British systems infected, compared to 47,000 in the US.
Overall, there are believed to be between 250,000 and 300,000 machines still infected with the malware, but it is unknown how important those systems are.
“We’ve been using the last eight months to go out and clean up the infected computers, but we don’t have everybody,” said supervisory special agent Thomas Grasso of the FBI’s Cyber Division. Grasso said he hoped that people “follow our recommendations to: one, determine if they’re affected by this; and then two, fix the problem.”
For those concerned, head to this FBI blog post, which contains links to all the resources users need to stay online. A number of anti-virus firms have released free software to help too, including Intel-owned McAfee and Russian firm Kaspersky.
Some have warned that the panic surrounding DNSChanger could play into scammers’ hands too. “We may also see malware, spam, or scam campaigns associated with news about the DNSChanger malware,” Websense said in a blog post. “As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSChanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.”
Users have been given plenty of warning since November, at the end of a successful operation that saw the FBI and its international partners charge six individuals with conducting a sophisticated click-fraud scheme using DNSChanger. The operators were thought to have pocketed at least $14 million until they were caught.
The DNSChanger malware was running on many thousands of systems, which could only connect to the Internet using the crokks’ servers, so the FBI was compelled to keep the DNSChanger servers running. The Bureau has since delayed the cut-off date from March to July over fears that businesses would be left without normal Internet access.
Are you a security boff? Try our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
View Comments
The DNSChanger still affects over quarter of a million systems, which will be shut down today. For organisations wanting to ensure that their systems are not affected by the DNSChanger server shut down, businesses should utilise their IT management system to build a group containing the potentially rogue DNS Servers and add an alert for DNS traffic to the group. If the servers are infected with DNSChanger, you can run a report for all infected devices. Systems such as WhatsUp Gold alert centre will alert organisations to more than 5,000 conversation partners or over 1,000 failed connections for single host, both indicators of malware-type infections. Organisations should take action before it’s too late.
The list of potentially rogue DNS servers include the following IP addresses.
–85.255.112.0 – 85.255.127.255
–67.210.0.0 – 67.210.15.255
–93.188.160.0 – 93.188.167.255
–77.67.83.0 – 77.67.83.255
–213.109.64.0 – 213.109.79.255
–64.28.176.0 – 64.28.191.255