X

Google alert claims users' Internet may shut down July 9

Google is spreading information about the DNSChanger malware, but for some the warnings may persist even after removing the malware.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
See full bio
Topher Kessler
5 min read

If you have been browsing the Web lately and have used Google's search services, you may find the search results page show a warning at the top that states "Your computer appears to be infected" along with a small description about systems not being able to connect to the Internet in the future. The message also includes a link to an information page that generally describes what malware is and how to detect it.

This alert has had a few people concerned about their abilities to stay online.

MacFixIt reader Naomi writes:

"I noticed the google message saying my computer is infected and I have clicked on the links to clean up the malware/spyware/ whatever it is -- but the message is still there. Then I read that my Internet will go dead on July 9th!!! I followed the instructions to check my Mac for malware, and spent ages removing the detected spyware. Having run those tests, I thought the Google notice would not appear on the top of the Google searches, but it's stil there today."

As CNET's Declan McCullagh reported yesterday, this message from Google is an effort to help people who were infected with a widespread malware infection called "DNSChanger."

The DNSChanger malware is a Trojan horse infection that at its peak affected approximately 4 million PC systems worldwide, with about 500,000 of those being in the United States. When installed, the malware changes the system's DNS server settings to point to a rogue DNS network set up by the malware developers.

DNS Changer infection rates
The number of DNSChanger-infected systems was at around 450,000 worldwide at the end of January, but remains at around 330,000 today. DCWG

The DNS network is essentially the phone book for the Internet, and allows the system to convert URL names such as "www.cnet.com" to the IP address for the Web site (a number that the computer and network devices can use). The effort behind the DNSChanger malware was to interfere with this IP address lookup routine and provide a false IP number to the computer. As a result, if you typed in the URL of a legitimate Web site, then the malware developers could redirect you to a fake Web site that tries to phish information from you, have you click on ads for revenue, or otherwise perform unwanted behavior.

In November 2011, the FBI and authorities from other countries arrested the crime ring behind the malware; however, they were faced with a problem about how to fix the millions of PCs that have been infected with the malware. For these systems, their DNS server settings will continually revert to point to the rogue DNS network, even if they are manually changed by the user. Therefore, in order to keep affected people online, the FBI kept the rogue DNS network active, and only converted it to be a legitimate DNS service.

This setup was intended to be a temporary fix while people removed the malware from their systems; however, the eradication of the malware has taken a lot longer than anticipated. The rogue servers were originally to be shut down on March 8, but by that time an estimated 450,000 systems were still infected so the shutdown date was pushed back to July 9.

Even with the criminal arrests and seizure of the DNS network over 6 months ago, an estimated 330,000 systems are still infected to this date, with about 77,000 of them being in the U.S.

This slow response for removing the malware is in part because users with the malware were not properly informed of the issue. Their Internet connections have continued to work just fine, so there has been no reason for them to suspect any problems.

Windows DNS lookup using the command line
OS X DNS server lookup with the Terminal
By running these commands in the Windows Command Line or the OS X Terminal you can look up the DNS server settings on your system, though this can also be done in the control panel and system preferences. (click for larger view) Screenshots by Topher Kessler/CNET

As the July 9 shutdown deadline looms, these systems are in danger of losing their ability to resolve URLs to their respective IP addresses, and thereby lose their ability to connect to the Internet. Because this threatens the connectivity of thousands of PC systems, to help inform people of this malware threat, Google has implemented a service that determines if the rogue DNS network is being used by your computer, and then issues you the warning.

If you see this warning, then there are several things you can do:

  1. Check your DNS settings
    Since the DNSChanger malware alters your DNS settings, you can easily determine if your system is infected by going to your network settings and looking up your DNS servers. Alternatively you can use the OS X Terminal utility (in the /Applications/Utilities) folder to look up your DNS servers by running the following command (change "Wi-Fi" to "Ethernet" if you use ethernet connections):

    networksetup -getdnsservers "Wi-Fi"


    If you use Microsoft Windows (even within a Virtual Machine or Boot Camp on your Mac), then you can look up this same information by going to the Windows command line and then running the following command:

    ipconfig /all


    In addition to checking the DNS settings on your computers, be sure to check the settings in your router (consult your router's manual for how to do this). Later variants of the DNSChanger malware did affect hardware routers and change their DNS settings, which would in turn affect all systems on the network.

    With your DNS IP addresses known, you can then use the FBI's DNS IP checker tool to ensure they are legitimate DNS servers.
  2. Update antivirus utilities
    Another step you can take is to update or install an antivirus utility on your computer, and have it scan the system for known malware with the latest malware definitions. Most utilities should have fully updated definitions for the DNSChanger variants, and should be able to detect them. Some good options you can try are the free Sophos Home Edition scanner, ClamXav, and Symantec's rerelease of iAntivirus for Mac, and PC Tools, AVG, and Avast for PC systems (these are only a few out of many good options).
  3. Run DNSChanger removal tools
    In addition to global anti-malware tools that will detect and remove all types of malware, there are some standalone tools that were built to directly detect and remove the DNSChanger malware, such as the DNSChanger Removal Tool for Mac.
  4. Clear browser caches and monitor the system
    After checking your DNS server settings, changing them to legitimate ones (such as those from your ISP), and perhaps scanning your system with an antivirus tool, be sure to continue monitoring your DNS settings to ensure they do not revert. If so, then you have not properly tackled the problem, but if you have removed the malware from your system, then the DNS settings should remain as you set them.

    In addition to monitoring your system's settings, be sure to clear your browser's caches and cookies (see how to do this for various browsers in this article), to prevent warnings from being inadvertently reloaded after you have cleaned your system and networked devices of the malware and rogue settings.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Computing Guides

Laptops
Desktops & Monitors
Computer Accessories
Photography
Tablets & E-Readers
3D Printers
Computing Coupons