Parental Controls affect DNSChanger Check-Up Sites

The DNSChanger test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider.

In order to explain what causes this, we first need to recap a little of what we wrote earlier this week.

In November 2011, after a two-year FBI probe called Operation Ghost Click, six Estonian nationals were arrested on charges of fraud. They infected computers worldwide with malware called DNSChanger. In conjunction with the Estonian police, the FBI seized the servers used by the cybercriminals but were kept online so as to not disrupt the Web activities of those infected. If the FBI had merely shut down the rogue servers, many of those infected wouldn’t have been able to access the Web at all. That means no websites, no e-mail, and no Facebook.

The DNS Changer Working Group (DCWG), that’s been maintaining the FBI servers since their seizure, has created a website that allows you to check if your computer is infected. People are encouraged to check their devices by visiting this website to see if their computer is infected. If infected, they’re then directed to information on how to remove the malware.

It is estimated that over half of the users with an infected computer are not English speaking, so Computer Emergency Response Teams (CERTs, aka CSIRTs) active in many countries setup a localized version of the DNS-OK site. Using articles in local newspapers, people were encouraged to check their systems. To reach even more people, Google and Facebook also started notifying victims of the DNSChanger malware.

Millions of Internet users checked their devices using one of the many DNS-OK websites or through Google or Facebook. And with good results: a tremendous amount of devices have been cleaned till date. But still, despite great efforts, around 300,000 devices are still not cleaned. How come? Don’t these people use Google or Facebook?

False sense of security
The DNS test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider. While users expect their own DNS settings to be checked, a remote web-filter will cause the DNS-OK website to check the DNS settings of the filter instead. This means that the DNS-OK site will show green even though the user’s computer could still be infected, giving him or her a false sense of security.

Security as a Service
For example, many ADSL Internet contracts include network-based web-filtering services. These remote web-filters act as an intermediary and retrieves and evaluates webpages and downloads before sending it to the computer of the user. This service, also known as Security as a Service (or SaaS), doesn’t involve any software setup or action from the end-user. It limits children from accessing inappropriate content (parental control), controls the download of certain files (e.g. spyware, pirated software) and optionally filters unwanted web advertising from web content. All good news. But on the other hand this filter prevents accurate DNS testing on any of the DNS-OK websites and affects the check performed by Google and Facebook as well.

Figure 1: The DNSChanger Check-Up Site ( says the infected computer is not affected, while in fact it is.

Figure 2: A name lookup reveals the problem. The remote web-filter returns the wrong IP address.

Figure 3: The same infected computer on a connection without remote web-filtering: correct response.

Because the DCWG is unable to count the infected computers that use a network-based security service, the actual amount of infected computers is very likely higher than the current 300,000.

What to do: check again, manually
The Internet provider cannot be blamed for offering Security as a Service. So if you use an “in-the-cloud” remote web-filter, web or DNS-proxy or safe gateway from e.g. your Internet access provider, and you got a green OK on e.g. your computer might still be infected. So you might want to check out the Fix page over at DCWG again. Because to prevent losing web and/or e-mail access on July 9, you should follow these two steps:

  1. Check your DNS settings manually, because (and other test sites) cannot perform a reliable test in your situation.
  2. Use a second opinion antivirus program to scan your computer for the Alureon rootkit (aka TDSS, Olmarik, TDL4) that distributed the DNSChanger malware. Currently, Alureon ranks #4 on our May 2012 malware prevalence list since it successfully hides from antivirus software since 2009. So checking your computer with your regular antivirus software will not be sufficient.

About the DNSChanger malware
The DNSChanger Trojan changed the DNS settings on the computer, redirecting websites entered by the user to other unsolicited, and potentially illegal sites. If personal information was entered on these websites, it could’ve lead to identity theft.

Comments are closed.

%d bloggers like this: