Monday the
FBI will shut down servers associated with the DNSChanger malware. As a
result, computers still infected with this threat will likely no longer
be able to access the Internet. With the number of computers still
infected with DNSChanger at least 300,000, this situation could be a
challenge for many computer users, especially SMBs. As with companies of
all sizes, SMBs rely heavily on the Internet for everything from day to
day tasks to their ecommerce operations; this means an Internet
“blackout” is a significant problem. Combined with the knowledge that
SMBs often lack dedicated IT staffs, the DNSChanger situation could be a
recipe for disaster unless the proper steps are taken. Symantec has
responses by experts that can give useful insights:
Q: Why is the DNSChanger making news?
It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.
Q: What are these DNS settings and how do they affect me?
DNS
is an Internet service that converts user-friendly domain names into
the numerical Internet protocol (IP) addresses that computers use to
talk to each other. When you enter a domain name into your Web browser
address bar, your computer contacts DNS servers to determine the IP
address for the website. Your computer then uses this IP address to
locate and connect to the website. DNS servers are operated by your
Internet service provider (ISP) and are included in your computer’s
network configuration.
Q: So what does DNSChanger do then?
By
changing a computer’s DNS settings, malware authors can control what
websites a computer connects to on the Internet and can force a
compromised computer to connect to a fraudulent website or redirect the
computer away from an intended website. To do that, a malware author
needs to compromise a computer with malicious code, which in this case
is DNSChanger. Once the computer is compromised, the malware modifies
the DNS settings from the ISP’s legitimate DNS server’s address to the
rogue DNS server’s address.
Q: If the FBI caught the international ring, why is there still a potential threat?
The
FBI, through the court order, asked the Internet Systems Consortium
(ISC) to deploy and maintain clean DNS servers in place of the rogue
ones operated by the bad guys, to give users with compromised computers
enough time to remove the threat. This is only a temporary solution
however, and the servers operated by ISC under the court order will go
offline on July 9, 2012. Once that happens, computers that are still
compromised will lose access to the Internet, causing a "blackout".
Latest statistics show that there are at least 300,000 computers still
being redirected to the rogue DNS servers now being controlled by the
FBI.
Q: Will the computers compromised by this threat only lose access to some sites?
No,
all sites. Connectivity will be lost to the Internet. If your computer
is still using DNS entries that are pointing to the FBI servers on July
9, you will lose total access to the Internet.
Q: How can I find out if my computer is compromised by DNSChanger?
A
task force has been created, called the DNSChanger Working Group (DCWG)
to help people determine if their computers have been compromised by
this threat, and to also help them remove the threat. Users can go to
the DNS Changer Check-Up page, maintained by the DCWG, to determine
whether their computer is compromised or not. There are other pages in
various languages maintained by other organizations listed on the DCWG’s
Detect page. Various organizations are proactively informing users that
their computers are compromised by DNSChanger. The FBI has also put
together instructions on how to determine manually if a computer has
been compromised or not. In addition to detecting the malicious
component, Symantec customers whose computer has been compromised by
DNSChanger are notified through our endpoint products with a detection
called SecurityRisk.FlushDNS. Our write-up contains more information and
includes manual removal instructions. If a user is in doubt about how
to change their DNS settings, they should contact their ISP or network
administrator.
Source: CIOL Bureau
No comments:
Post a Comment