Renewed efforts to revert DNSChanger in effect

One of the more widespread malware attacks that has affected Macs, Windows-based PC systems, and even network hardware such as routers is the DNSChanger Trojan, which has also been known as "RSPlug," "Puper," and "Jahlav."

This Trojan was first discovered in 2007, and was able to infect millions of PC systems worldwide. It remained active until 2011 when an FBI sting called Operation Ghost Click resulted in the arrest of an Estonian crime ring and seizure of the rogue DNS network used to maintain the attack.

The DNSChanger malware worked by setting up a background process in an affected computer that changed the user's DNS server settings to the rogue DNS network, which was then used by hackers to redirect valid URLs to malicious Web sites. These sites tricked people into giving up personal information, and in the roughly three years in which it was active, the crime ring raked in about $14 million in stolen funds.

After the FBI seizure, it was apparent the rogue DNS servers could not simply be shut down. The DNS system is known as the Internet's phone book, which translates URLs such as "http://www.cnet.com" to the IP address for the server hosting the Web site. This is not only true for Web sites, but also for any other Internet-based service being used, including servers for e-mail, backups, synchronization, chat programs, and calendars.

If the FBI were to simply shut down the DNS network, then the millions of computers that had been affected by the malware would instantly no longer be able to access the Internet, and given the scope of this malware infection, would suddenly cut off many and very likely have a notable negative impact globally. Being infected with the malware, these systems would not benefit from users checking for and changing their DNS settings, since the malware would continually revert it and thereby continually disrupt communications.

To prevent this, the FBI instead chose to keep the rogue DNS servers active and convert it to a legitimate DNS system for infected computers. Since November 2011, there has been a campaign to notify users of the DNSChanger malware and offer services to help users identify systems that are infected.

While the number of systems infected with DNSChanger has diminished over time, the rate of decline has not met the FBI's expectations. The FBI and German Federal Office for Information Security originally scheduled the rogue DNS servers to be shut down on March 8, but given that by March 7 there were still around 450,000 active infections of the DNSChanger malware, the date of the shutdown was pushed back to July 9.

In addition to pushing back the date of the shutdown, the FBI has made renewed efforts to inform users of the DNSChanger problem, and on its Web site is promoting its story on the DNSChanger takedown and what users can do about it. In addition to the FBI coverage, the DNSChanger working group (or DCWG) has a new Web site available that offers options for detecting and fixing the problem.

As we've covered in the past, you can use numerous malware scanning tools to locate and remove the DNSChanger malware from your system, and also use the FBI's DNS IP checking tool to check your DNS server settings and determine if your system's settings were changed by the malware. You can get a list of the DNS servers on your system in the network settings. In OS X you can go to the Network system preferences, and for each active connection click the Advanced button and check the servers under the DNS tab.

While the FBI has these tools that people can use to check their systems, one wonders why the FBI cannot perhaps use the seized servers to issue a DNS redirect of its own that notifies affected people of the problem and provide resources for clearing the malware off affected systems. This would be relatively easy to implement, but so far those spearheading the DNSChanger cleanup have not done this.

Questions? Comments? Have a fix? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.