DNSChanger Changes the Game

The recent takedown of the DNSChanger botnet was easily the biggest to date. This botnet consisted of over four million infected computers worldwide with half a million in North America alone and generated over $14 million in fraudulent Internet advertising revenue over the past 5 years.

With this attack, the configuration of infected computers had been modified by malware to point to rogue DNS servers, now under the control of the FBI. The irony is that although the DNSChanger threat has been neutralized, Internet access for the infected computers will be disrupted when the rogue DNS servers are decommissioned in March and millions of angry users will be calling the help desk to ask what went wrong with their Internet connection. This has left many Internet service providers with a bit of a conundrum.

How did it work?

DNSChanger is not the result of a single malware infection. Over the five years that it has been in operation, a variety of techniques were used to get control of the victims’ computers and modify their domain name system (DNS) lookup configuration. The most recent infection vector has been the TDSS/Alureon rootkit.

Regardless of the source of the initial infection the net result is that the default domain name servers in the computers configuration are changed so all DNS requests are sent to rogue servers. Mac computers have also been affected and there are reports that the malware has also used default usernames and passwords to change the DNS settings on home routers like Linksys, D-Link and Netgear.

The DNSChanger operators used these fake web sites mostly for ad-click fraud and to push fake anti-virus products. They could also have been used for identity theft, credit card fraud and a host of other criminal activities.

After the takedown

As part of the takedown, the FBI and Estonian authorities overseas took over the computer operations associated with the DNSChanger scheme, including the rogue DNS servers, so the ad-click fraud and threat of identity theft is gone. However, in order to minimize the impact of the takedown on the infected users, they have taken over the operation of the rogue DNS servers, which are now serving up legitimate IP addresses in response to requests. The result is that the DNS requests are now working properly.

Fig1: Excerpt from FBI description of DNSChanger

So what’s the problem for service providers?

The FBI has contacted service providers and asked them to notify infected users and help them get their computers correctly configured. They intend to decommission the DNS servers in March. On that date, Internet access will stop working for any infected computers that are not properly reconfigured.

The problem is not remedied by simply removing the malware. The infected computers must be reconfigured to use the DNS services provided by their service providers. The FBI has released instructions on how to determine if a computer is infected, but it offers little advice on what to do about it so the service providers are faced with the problem of determining which users are infected, notifying them and providing assistance in fixing the problem.

The game changing aspect of DNSChanger is that when the rogue DNS servers are decommissioned millions of infected computers will lose Internet access simultaneously and the service providers’ help desks could be inundated with calls. Service providers need to find a cost effective mechanism, like Kindsight Security Analytics, to find out which users are infected, notify them of the malware and get the problem fixed.

Additional details on the takedown can be found at the TrendMicro Blog.

By Kevin McNamee, Kindsight Security Labs