On many computers deemed safe and protected by up-to-date antivirus software, the Alureon rootkit is still one of the most prevalent infections that HitmanPro encounters. And over the last few years the Alureon rootkit (aka TDSS, TDL and Olmarik) has evolved and been used for all kinds of different attacks. From drive-by downloads to targeted attacks that aim only a specific group of persons. One of its lesser known jobs was to distribute the DNSChanger Trojan.
Beginning 2007, the DNSChanger Trojan seizes web traffic by changing the DNS (Domain Name System) settings on an infected computer. As a result, victims are diverted to malicious websites instead of the requested website. In other words, once the Trojan has altered the DNS settings, DNS queries will be redirected to the attacker-controlled DNS servers, which forces the user to visit malicious websites where scammers often earned millions of dollars in affiliate and referral fees as well.
On November 8, 2011 the FBI arrested six Estonian nationals who were operating over a hundred malicious DNS servers in data centers in Estonia, New York and Chicago. Along with these arrests, the servers involved with the DNSChanger malware were seized. Since machines with modified DNS settings would be unable to access the Internet once the malicious DNS servers went offline, the FBI obtained a court order that allowed the non-profit Internet Systems Consortium (ISC) to set up alternate DNS servers to temporarily replace the malicious servers. These servers were intended to give people time to clean up the infection. The court order was originally set to expire March 8 this year, but prosecutors filed for an extension because over 400,000 computers still remained infected. The new deadline for getting cleaned up and averting the Internet blackout is now July 9, 2012.
DCWG, Google, Facebook, CloudFlare
To remediate users and help the FBI with the alternate DNS servers, the DNS Changer Working Group (DCWG) was created. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.
To aid the slow remediation rate, Google started notifying affected users in May 2012, showing warnings via a special message that appears at the top of the Google search results page for users with affected devices. Also, 11,000 websites enabled the CloudFlare Visitor DNSChanger Detector which shows infected visitors a warning banner to help them remove the malware and remain online. And this month, Facebook joined Google in warning victims among its 900 million users.
The past few months, HitmanPro has helped tens of thousands of people restoring their DNS settings and remove the DNSChanger Trojan and the TDSS rootkit from their computers. As shown in the graph below, the campaigns by Google and Facebook played a significant role in informing users that were infected and pointing them to a solution:
Below, the latest Top 5 DNSChanger Infections by Country (June 11, 2012). Many computers in Italy are still affected by DNSChanger:
Head over to http://www.dns-ok.us and check your Windows and Mac computers for the DNSChanger Trojan. Given that on July 9 you might not get the chance to do this, you should check your computers as soon as possible.