Clusters of Infected Machines Indicate a Systemic Problem

 
 
By Wayne Rash  |  Posted 2012-07-07
 
 
 

DNS Changer Malware Could Lock Unwary Users Out of the Internet on July 9


The DNS Changer malware has been all over the news during the last couple of days, and with good reason. If you haven€™t checked that your computers are malware-free and fixed an apparent DNS Changer infection, you won€™t be able to use the Internet very easily come Monday, July 9.  

Monday is the day that the FBI pulls the plug on the Domain Name System (DNS) servers that have been kept running as a safety net for people who were infected by the malware, and as a result were being directed to bogus DNS servers. 

When the servers are taken offline July 9, the only way you€™ll be able to access the Internet if you€™re affected is to type in the actual IP address because your computer won€™t be able to resolve addresses. Fortunately, it€™s easy to tell if you€™re affected, and the problem is easy to fix. Here€™s what you need to do.

First, visit the Website of the DNS Changer Working Group where you€™ll see a description of the DNS Changer and what it does. You€™ll also see a green button that is labeled €œDetect.€ On that page, you€™ll see a chart listing sites around the world that will tell you whether your computer is resolving DNS addresses properly. The site for the United States is www.dns-ok.us and it has a simple interface that presents a green square if your computer is resolving IP addresses properly. 

You should note that when I tried the U.S. site only two of the four browsers on the test computer would actually load it. Firefox and Internet Explorer worked fine, Google Chrome and Apple Safari did not. Neither would load the address at all. Note that this test was done on a machine running a 64-bit version of Windows 7. Other computers have delivered results with various browsers. 

If for some reason you€™re not able to get the site to load, try the European site at http://dns-changer.eu, which I found works more reliably. Note that the European site will record the operating system and browser that you€™re using. 

If you get the all-clear, you€™re probably done. While it€™s possible that your ISP is redirecting the bogus DNS requests for you, you€™ll still get to the Internet. If you want to be totally certain, either check your computer€™s DNS settings manually or have your IT department check them. Note that in addition to the sites listed by the DCWG, other sites including Google and Facebook will alert you if you appear to be having DNS problems related to malware. 

Clusters of Infected Machines Indicate a Systemic Problem


 

But suppose you didn€™t get the green light saying that your computer is OK. If that happens, the DCWG offers a list of places where you can access malware removers that will clean the malware out of your system. Most security vendors, including Symantec, McAfee, Kaspersky and Microsoft, have free software that will clean your system. 

Note that the same page also provides a list of resources for making sure your computer is really free of malware and stays that way. Resources for PC and Macintosh computers are included in these lists. 

Once you€™ve finished the initial tests and fixed the malware infection or its after-effects, it€™s time to review your security posture. While an infected computer or two inside a large organization may not indicate a systemic problem, seeing more than a few will. Likewise, seeing malware infections in clusters within an office will indicate a problem. It may be that a specific remote office isn€™t being as careful as it should, for example, or it may mean that the anti-malware application in that location is compromised. 

If you find that your security systems are compromised, then the answer is clear, call the person in your company who is in charge of data security and ask for help. 

Now, suppose it€™s Monday morning and you just found out that one or more of your computers suddenly can€™t find the Internet when everyone else can. If you haven€™t already downloaded one or more of the free malware removal tools provided by DCWG, you should do so now, even if you have to use a computer outside the office. Save the malware removal tool on a flash drive, take it to the affected computers and before doing anything else, check the DNS settings. 

You may be able to clear up the problem just by fixing the DNS settings. If those settings don€™t stay fixed, then run the malware-removal tool doing the full-system scan. This will take a while. When it€™s finished, the malware will be gone, and you€™ll have a list of what was done. 

None of this is rocket science, but some of it is tedious. Don€™t try to take shortcuts. Instead, do the full removal job. But while you€™re waiting, you can start thinking about what you need to accomplish to make your systems as secure as they should be from now on. 

Rocket Fuel