275,000 computers lose Internet access on July 9

June 27, 2012

On many computers deemed safe and protected by up-to-date antivirus software, the Alureon rootkit is still one of the most prevalent infections that HitmanPro encounters. And over the last few years the Alureon rootkit (aka TDSS, TDL and Olmarik) has evolved and been used for all kinds of different attacks. From drive-by downloads to targeted attacks that aim only a specific group of persons. One of its lesser known jobs was to distribute the DNSChanger Trojan.

Beginning 2007, the DNSChanger Trojan seizes web traffic by changing the DNS (Domain Name System) settings on an infected computer. As a result, victims are diverted to malicious websites instead of the requested website. In other words, once the Trojan has altered the DNS settings, DNS queries will be redirected to the attacker-controlled DNS servers, which forces the user to visit malicious websites where scammers often earned millions of dollars in affiliate and referral fees as well.

On November 8, 2011 the FBI arrested six Estonian nationals who were operating over a hundred malicious DNS servers in data centers in Estonia, New York and Chicago. Along with these arrests, the servers involved with the DNSChanger malware were seized. Since machines with modified DNS settings would be unable to access the Internet once the malicious DNS servers went offline, the FBI obtained a court order that allowed the non-profit Internet Systems Consortium (ISC) to set up alternate DNS servers to temporarily replace the malicious servers. These servers were intended to give people time to clean up the infection. The court order was originally set to expire March 8 this year, but prosecutors filed for an extension because over 400,000 computers still remained infected. The new deadline for getting cleaned up and averting the Internet blackout is now July 9, 2012.

DCWG, Google, Facebook, CloudFlare
To remediate users and help the FBI with the alternate DNS servers, the DNS Changer Working Group (DCWG) was created. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.

To aid the slow remediation rate, Google started notifying affected users in May 2012, showing warnings via a special message that appears at the top of the Google search results page for users with affected devices. Also, 11,000 websites enabled the CloudFlare Visitor DNSChanger Detector which shows infected visitors a warning banner to help them remove the malware and remain online. And this month, Facebook joined Google in warning victims among its 900 million users.

Recover from a DNSChanger infection

The past few months, HitmanPro has helped tens of thousands of people restoring their DNS settings and remove the DNSChanger Trojan and the TDSS rootkit from their computers. As shown in the graph below, the campaigns by Google and Facebook played a significant role in informing users that were infected and pointing them to a solution:

Below, the latest Top 5 DNSChanger Infections by Country (June 11, 2012). Many computers in Italy are still affected by DNSChanger:

Head over to http://www.dns-ok.us and check your Windows and Mac computers for the DNSChanger Trojan. Given that on July 9 you might not get the chance to do this, you should check your computers as soon as possible.

Botfrei tests HitmanPro against DNSChanger

February 9, 2012

After our previous blog entry about DNSChanger, Botfrei took the opportunity to test HitmanPro against DNSChanger malware and HitmanPro’s ability to repair Rogue DNS server settings.

In their test, HitmanPro failed to detect a Rogue DNS server setting and this of course got us wondering: what is going on?

Botfrei dropped a malware sample in their test environment and the malware changed the DNS server setting to (as can be seen in this screenshot).

If you cross reference this IP with the Rogue DNS addresses mentioned in the FBI document (on page 5) you’d notice that this IP does not belong to Operation Ghost Click.

To confirm this we’ve changed our DNS server setting to the aforementioned IP and went to dns-0k.de. This website is set up by the German government and can be used to see whether your computer was/is infected with DNSChanger malware.

The result while using the Rogue DNS server setting can be seen in the following picture:

So both FBI and German government confirm the IP is not part of the Rogue DNS servers that were in use by DNSChanger.

But there is more …

Because HitmanPro apparently failed their test, Botfrei advises at the bottom of their article to use the new Avira-DNS-Repair-Tool which is out since January 23, 2012.

So lets download Avira-DNS-Repair-Tool and give it a go …

Notice that Avira’s brand new tool does not detect a Rogue DNS server setting either!

So the dns-ok.de test site of the German government, HitmanPro and the advised Avira-DNS-Repair-Tool did not detect the apparent Rogue DNS server setting. Why not?

First, the IP is not part of the seized DNSChanger servers at all but belongs to an ISP in Latvia (according to RIPE). Second, if you Google the IP then you mostly get articles dated 2010. So it seems that Botfrei used an old piece of malware to do their tests against.

UPDATE: Looking closer at one screenshot from the test, we can confirm this date as the filename of the sample is:


Since HitmanPro uses IP reputation and blacklist techniques the IP seems no longer to be actively used by malware and hence its reputation is dropped and it is no longer listed in blacklists (currently it is listed in just 1 out of 103 blacklists). This caused HitmanPro to not list the DNS server setting.

Bottom Line
It appears Botfrei was in a bit of a rush to advise against HitmanPro and promote Avira’s new tool instead. While in a hurry they (1) used malware that is unrelated to their DNSChanger cleaning campaign and (2) they actually gave advice (Avira’s offering) that confirms HitmanPro’s findings: no Rogue DNS detected.

HitmanPro is a free second opinion malware scanner and very capable of removing DNSChanger malware and repairing Rogue DNS server settings. Don’t take our word for it, take it for a spin. But do make the right assumptions.

HitmanPro repairs rogue DNS server settings

January 15, 2012

A few days ago the German government advised internet users to check DNS server settings on their computers. The advice is related to the botnet takedown called Operation Ghost Click which was led by the FBI in November 2011.

The botnet was made up of more than 4 million computers in more than 100 countries. The computers are infected with malware called DNSChanger. This Trojan changes the DNS settings of the computer and allowed the botnet owners to redirect web browser requests. With these redirects, the botnet owners were able to manipulate internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

Rogue DNS Servers
In November 2011 the FBI seized the rogue DNS servers and replaced them with legitimate servers in the hope that users who were infected will not have their Internet access disrupted. But these servers will be kept online until March 8, 2012.

The replacement DNS servers recorded 33.000 computers in Germany that are still contacting the rogue DNS servers. This number was large enough for the German government to issue the nationwide advice.

To facilitate the nationwide DNS check, the German government launched the website: dns-ok.de

If you go to the website and your computer uses rogue DNS server settings then you see this page:

The page offers a link to botfrei.de which provides DE-Cleaner software which helps users to get rid of the DNSChanger infection (and other malware).

DE-Cleaner comes in three flavors provided by: Avira, Kaspersky and Symantec. A multi-vendor approach, just like HitmanPro.

The problem with the DE-Cleaner software is that they do not detect or repair rogue DNS server settings: they leave it up to the user.

Using rogue DNS server settings is as bad as it gets. Nothing on the internet can be trusted: login information and credit data will be stolen. Its a matter of time (DNSChanger is proof of this). So it is of utmost importance that the computer uses proper DNS server settings. Hence the German call for a nationwide DNS check.

DNS repair
Since DNS is extremely important, HitmanPro scans the DNS server settings of each network adapter in the computer. HitmanPro validates the DNS setting against blacklists and lists the corresponding adapter when its DNS server settings are deemed malicious. A repair of the DNS server setting is then offered, free of charge.

Bottom line
Besides DE-Cleaner, most Antivirus products do not check the DNS server settings of the computer. The reason for this is beyond anybody’s guess. HitmanPro 3 checks the DNS server settings since its incarnation and provides a convenient way for the average computer user to get rid of the malware and repair DNS server settings in just one single pass.

Since the DNSChanger botnet was made up of more than 4 million computers, with 500.000 computers in the US and 33.000 in Germany, there are a lot more computers that still use the rogue DNS server settings. So run a scan with HitmanPro before March 8, 2012 or you might not be able to use the internet – the FBI will shutdown the replacement DNS servers on that day.

We have made a video to illustrate the whole proceedings:

Note: we’ve made the video with Hitman Pro 3.5 as this version supports the German language.