A malware called DNSchanger Trojan has infected many computers and many are still corrupted. What does it do?
It alters user DNS settings, such that it starts pointing users to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers can do many thing such as:
- fake, malicious answers, altering user searches, and
- promoting fake and dangerous products.
The thieves – using this technique – had earned $14 million in illicit fees even before they were caught by the FBI.
To counter this, court issued order which expires on March 8, where the Internet Systems Corporation will operate the replacement DNS servers for the rogue network. This will let the affected networks enough time to identify infected hosts. It will avoid any disruptions for machines which are impacted. There are many servers that have to deal with the odd rogue network now and again, so doing a dns performance test can be a good way to keep an eye out for any malicious activity happening on a server.
Things can come to a standstill for many internet connections on March 8, but not necessarily:
The court order allowed the FBI’s replacement servers to stay online for 120 days. That original 120 day period ends on March 8, 2012, however, experts believe millions of computers are still infected, which is where the ‘Internet Doomsday’ phrase comes into the picture.
The FBI has asked the court to extend the order until July 9, 2012, which will give users an additional 120 days to get their computer’s cleaned up, essentially postponing the doomsday threat.
Despite the actions to clean up, many machines and even you could be still impacted if you find the DNS entries from the following ranges on your machine. You can use a document by FBI to do a self check as well.
126.96.36.199 through 188.8.131.52184.108.40.206 through 220.127.116.1118.104.22.168 through 22.214.171.124126.96.36.199 through 188.8.131.52184.108.40.206 through 220.127.116.1118.104.22.168 through 22.214.171.124