Nuke the box: Push underway to clean up 300,000 PCs with DNS virus
- 25 April, 2012 06:24
A PR campaign is underway to clean up as many as 300,000 computers infected with DNSChanger viruses that divert victims' traffic to sites that can further exploit the machines and their owners, but it's not clear that goal can be accomplished without drastic measures.
If a machine is infected with DNSChanger, that infection is often accompanied by a rootkit that is very difficult to remove, says Jose Nazario, senior manager of security research at Arbor Networks.
"The safest thing is to nuke the box and reinstall," Nazario says, meaning that the hard drive should be wiped and the operating system and applications reloaded. "Remediation is one of the toughest challenges we face."
But there are also removal tools that can remove the rootkit without having to reformat, says Barry Greene, the former director of Internet Systems Consortium, a volunteer group that has been working on the problem. "A paranoid security person is going to tell you [reformatting] is what you've got to do," Greene says.
DNSChanger has attracted attention since Nov. 8, 2011, when a major botnet distributing the viruses under the corporate name Rove Digital was taken down by the FBI, NASA Office of the Inspector General and Estonian police. The takedown involved seizing servers in New York, Chicago and Estonia.
It also resulted in the arrest of six men who have face charges in the U.S. related to the botnet.
Subsequent to the takedown, special DNS servers managed by Internet Systems Consortium have been put in place to properly handle DNS requests from infected machines. Without these servers, those machines would not be able to connect to sites on the Internet.
The court order allowing these servers to adopt the IP addresses of the ones used by Rove Digital expires July 9, when they will be taken offline. A that point, machines infected with DNSChanger won't be able to reach DNS servers and so won't be able to reach websites.
The public relations push started this week by members of the DNSChanger Working Group urges computer users to check their machines for infection and remediate the problem before July 9. The group has set up a website where users can find out if their machines are infected, remove the viruses and protect the machines from future infection.
The process sounds simple, but it's unclear how effective the dcwg.org-recommended diagnostics are.
The group's website refers visitors to www.dns-ok.us where a check is run on the machine that is connecting. But the results aren't conclusive.
After running the check, the site pops up this notice: "Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI's website at: http://www.fbi.gov/news/stories/2011/november/malware_110911"
The FBI site doesn't offer any more information about detecting whether machines are infected, but does refer back to www.dcwg.org.
Greene says that the check for infection requires no software download to the machine being tested. Instead, the machine sends a DNS query to a site set up by the testers who look at the DNS record on the query to see whether it came from one of the special Internet Systems Consortium servers. If so, that's an indication computer is infected.
If a victim's ISP has set up its own DNS servers to handle requests from infected machines, the test site will consider that a legitimate DNS source and conclude that the machine is not infected.
The DNSChanger Working Group is compiling a list of ISPs that have set up their own DNS servers to intercept queries from infected machines so their customers can find out from the ISPs whether their machines are infected, Greene says.
He also says that many such ISPs have already mailed letters to their customers whose machines they suspect of being infected. Sending such notifications by email would be easily mistaken for phishing.
The PR push to get the remaining infected computers cleaned up created some unexpected problems for DNSChanger Working Group's website. Traffic jumped from hundreds of hits per day to millions, with 5,000 concurrent connections. The site crashed one day, but it has been beefed up in the meantime, Greene says.
Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at firstname.lastname@example.org and follow him on Twitter @Tim_Greene.
Read more about wide area network in Network World's Wide Area Network section.
- Who is threatening the security of your network?
- FBI 'safety net' servers come with expiration date
- Applications Research Center - Network World
- Authorities prepare to close down DNSChanger servers, recommend DNS repair tool
- Fix : DCWG
- Layer 8: FBI takes out $14M DNS malware operation
- DCWG : DNS Changer Working Group
- LAN & WAN Research Center - Network World
- MSP Guides for effective Endpoint Management Solutions
- Smart Cloud: Move Beyond monitoring to Holistic Management of Application Performance
- McAfee Whitepaper: Building the Business Case for Privacy
- Cloud and Co-Location Solutions
- Modernizing Security for the Small and Mid-Sized Business – Recommendations for 2013 (Sponsored by McAfee)
- CITRIX SYNERGY ’13: Look beyond Cloud infrastructure, says Liang
- CITRIX SYNERGY ’13: Christiancen highlights the need for collaboration
- CITRIX SYNERGY ’13: Devices will change how people work, says Duursma
- Are we ready for a mobile-first world?
- Smartphone chips could replace server processors in HPC, researchers say
Attack on Telenor was part of large cyberespionage operation with Indian origins: report
Box buys iOS app to improve its own
Growing mobile malware threat swirls (mostly) around Android
Barracuda Networks raises free capacity of Copy.com to 15GB
Coke gives peace a chance ( +16 photos)