The DNS Changer malware has been all over the news during the last couple of days, and with good reason. If you havent checked that your computers are malware-free and fixed an apparent DNS Changer infection, you wont be able to use the Internet very easily come Monday, July 9.
Monday is the day that the FBI pulls the plug on the Domain Name System (DNS) servers that have been kept running as a safety net for people who were infected by the malware, and as a result were being directed to bogus DNS servers.
When the servers are taken offline July 9, the only way youll be able to access the Internet if youre affected is to type in the actual IP address because your computer wont be able to resolve addresses. Fortunately, its easy to tell if youre affected, and the problem is easy to fix. Heres what you need to do.
First, visit the Website of the DNS Changer Working Group where youll see a description of the DNS Changer and what it does. Youll also see a green button that is labeled Detect. On that page, youll see a chart listing sites around the world that will tell you whether your computer is resolving DNS addresses properly. The site for the United States is www.dns-ok.us and it has a simple interface that presents a green square if your computer is resolving IP addresses properly.
You should note that when I tried the U.S. site only two of the four browsers on the test computer would actually load it. Firefox and Internet Explorer worked fine, Google Chrome and Apple Safari did not. Neither would load the address at all. Note that this test was done on a machine running a 64-bit version of Windows 7. Other computers have delivered results with various browsers.
If for some reason youre not able to get the site to load, try the European site at http://dns-changer.eu, which I found works more reliably. Note that the European site will record the operating system and browser that youre using.
If you get the all-clear, youre probably done. While its possible that your ISP is redirecting the bogus DNS requests for you, youll still get to the Internet. If you want to be totally certain, either check your computers DNS settings manually or have your IT department check them. Note that in addition to the sites listed by the DCWG, other sites including Google and Facebook will alert you if you appear to be having DNS problems related to malware.
Clusters of Infected Machines Indicate a Systemic Problem
But suppose you didnt get the green light saying that your computer is OK. If that happens, the DCWG offers a list of places where you can access malware removers that will clean the malware out of your system. Most security vendors, including Symantec, McAfee, Kaspersky and Microsoft, have free software that will clean your system.
Note that the same page also provides a list of resources for making sure your computer is really free of malware and stays that way. Resources for PC and Macintosh computers are included in these lists.
Once youve finished the initial tests and fixed the malware infection or its after-effects, its time to review your security posture. While an infected computer or two inside a large organization may not indicate a systemic problem, seeing more than a few will. Likewise, seeing malware infections in clusters within an office will indicate a problem. It may be that a specific remote office isnt being as careful as it should, for example, or it may mean that the anti-malware application in that location is compromised.
If you find that your security systems are compromised, then the answer is clear, call the person in your company who is in charge of data security and ask for help.
Now, suppose its Monday morning and you just found out that one or more of your computers suddenly cant find the Internet when everyone else can. If you havent already downloaded one or more of the free malware removal tools provided by DCWG, you should do so now, even if you have to use a computer outside the office. Save the malware removal tool on a flash drive, take it to the affected computers and before doing anything else, check the DNS settings.
You may be able to clear up the problem just by fixing the DNS settings. If those settings dont stay fixed, then run the malware-removal tool doing the full-system scan. This will take a while. When its finished, the malware will be gone, and youll have a list of what was done.
None of this is rocket science, but some of it is tedious. Dont try to take shortcuts. Instead, do the full removal job. But while youre waiting, you can start thinking about what you need to accomplish to make your systems as secure as they should be from now on.