Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Wednesday, May 02, 2012

FBI Has Good Guys but Your Time is Limited

There have been a number of articles about what we all call the DNS Changer infection. PC World recently estimated 350,000 systems are still affected and on July 9th will no longer have internet access. It’s rare that we credit government agencies for doing good and few authors have given our justice dept credit for how they handled this malware. If not for a decision by this agency millions of infected computers would have suddenly lost their internet last year with no warning.
 

fbi Last year the FBI went after a criminal group that had infected computers around the world leaving what’s typically called a “bot”.  The virus creating the bot gave multiple criminal groups complete control over the infected computers. One of the many changes they made was to the computers “DNS look up address”. This is the location your browser goes first to find the numeric address of a website.  When you type in “www.WinPatrol.com”, a legitimate DNS server will direct your browser to my server address, 161.58.14.137.  The default setting will take you to a DNS look-up server managed by the company who provides you with Internet access.

If you were infected by the DNS Changer last year your browser would often redirect you to fake websites. These websites may just contain advertising or be duplicates of the original setup so they can steal your password or credit card data. In many cases, the sites encouraged you to download software that would not only steal additional information it would often require you to pay a fee to have it removed. Instead of downloading WinPatrol like you expected you’d get what we called ExtortionWare or ScareWare. Even if you paid the extortion they wouldn’t help and you’d find important documents still encrypted.

 

When the FBI found and arrested the criminals behind this fraud they could have just shut down their entire operation. If they had, anyone infected would have lost their Internet immediately. Their browser wouldn’t be able to look up the numeric addresses required to find websites. Instead, the Justice Department received permission by the courts to set up replacement servers using the same address previous registered to the criminal but they provided legitimate DNS addresses. The infected computers never noticed the change and even now may have no obvious indication they were infected.  Unfortunately, the court order expires on July 9th, 2012 and the replacement DNS servers will go dark.


Many engineers, including some smart people at Microsoft, have tried to create software solutions. In theory, like the criminals, the FBI could just take control of the infected machines and change the DNS setting back to a default value. Aside from the legal restrictions from doing this the danger of causing damage to the infected computer is greater than you might think. Not only does the false DNS address need to be removed but the bot software needs to be removed.  Changes made by the original virus may vary on each machine and without removing the remote control software, other criminals could just find and take control of these machines.

Solution 1
The FBI has created an advisory page which contains plenty of information although it may not be great for non-technical folks. It provides a solution that will keep you on the Internet but doesn’t address other possible infections. It may however give you a clue if you were a victim of this virus.  Click for FBI PDF file

Solution 2
There is an alternate DNS service which I’ve recommended in the past. They have a free version with instructions that may be little better than the FBI document.  The service is call OpenDNS.
dnsaddress

Windows Example: Under the Properties of your network adapter you’ll find a path to a screen like this that stores your DNS server address. The default setting would be “Obtain DNS server address automatically”.  In the example above, I have changed the DNS server address to point at an address used by the service OpenDNS. So instead of my browser going to a FIOS to look-up websites, my machine goes directly to servers managed by OpenDNS.

A machine which has been infected by a DNS Changer virus would also have a set of alternate DNS server addresses. A list of numbers currently managed by the FBI can be found in their PDF file available above. If you find a match then you’ll want to clean up your computer, but first check the circle that says “Obtain DNS server address automatically”.

Solution 3
The FBI and I both recommend running a good updated Anti-Virus Scanner to examine your computer.  This week I recommend checking out the Microsoft Safety & Security site and download the new Microsoft Security Essentials. Microsoft also provides a great tool called Windows Defender Offline that creates a boot repair CD/DVD. This is something I recommend you have available even if you’re not a victim of DN Changer.

 

Ultimately, I am pleased to see that the Department of Justice does have some bright folks on staff.  I understand it’s not their responsibility to maintain these servers forever and I’m happy to do my part to educate users before the July 9th deadline.

 

Additional Resources:
PC World: Why Your Internet May Disappear This Summer 4/23/2012

ARS Technica: DoJ, FBI set up command-and-control servers  4/2011

The Telegraph: ‘Internet Doomsday’ July 9 Claims FBI  4/25/2012

DNS Changer Working Group ( More articles and cleanup tools )

Microsoft Windows Defender Offline (Free Download tool )

Share on Facebook