Operation Ghost Click DNS servers to remain online until July
Courts order the malicious (but tamed) DNSChanger network to continue functioning until the malware infection is better controlled.
Last year's DNSChanger malware scam was an effort by a small crime ring of Estonian nationals to steal personal information. The scam worked by distributing malware that when installed would change the user's DNS settings to point to the crime ring's rogue DNS network. Since the DNS system is essentially the Internet's phone book, this allowed the crime ring to route seemingly valid Web site URLs to malicious servers.
Using this malware, the crime ring was able to get personal information and use it to steal millions of dollars before the FBI's Operation Ghost Click sting resulted in a number of arrests and the seizure of the rogue DNS network. At this point the FBI had the option to destroy the network; however, because many people's DNS settings had been switched to point to this network, the FBI decided to use it to its advantage and turn the stolen servers into valid DNS servers.
This allowed PCs infected with the malware to continue working and accessing the Internet, instead of experiencing sudden outages that could have suddenly affected millions of systems that currently are still infected with the DNS changing malware.
In January of this year, the German Federal Office for Information Security announced that the tamed DNS network would be shut down on March 8; however, it appears that the efforts to clear the DNS changer malware from the millions of infected PCs has taken a lot longer than expected with hundreds of thousands still being infected, according to the DNS Changer Working Group. Therefore, the closure of the rogue DNS network has been delayed for four months, and is now scheduled to be shut down on July 9, 2012.
This development suggests that even though there is progress being made to reverse the harm from the DNSChanger malware, that it is still affecting a number of systems. Should the DNS servers be shut down, then these systems would lose the ability to connect to the Internet, even if their DNS settings were changed manually as the malware on them would automatically switch these settings back. As a result, this new timeframe window gives people more opportunity to check their systems and ensure they are free of the DNSChanger malware.
To help with this process, the FBI has a DNS IP Checker Web page that you can use to check your DNS servers. Your DNS server settings will be located either in your router's settings, or in the network connection settings for you system. In OS X you can open the Network system preferences, go to the advanced settings for your active network connection (Ethernet or Wi-Fi), and then see the DNS settings in the DNS tab. Alternatively you can open the Terminal utility and enter the following command to list the active DNS servers (change "Wi-Fi" to "Ethernet" for Ethernet connections):
networksetup -getdnsservers "Wi-Fi"
When you get the list of DNS servers your system is using, enter them into the FBI's checker site to see if they are suspect servers, and if so, then you can use any of a number of malware scanners to detect and remove the malware from your system.
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.