For the past several years, one of the worst malware problems that we’ve seen has been what’s been called DNSChanger. It’s not because it’s particularly difficult to remove, although it isn’t easy. Rather, it’s because of how it compromises a user’s Internet security.
To understand what it does, we need a brief explanation of DNS. DNS stands for Domain Naming System, and it’s essentially the Internet’s phonebook. Your computer doesn’t really know what www.yahoo.com is. It might know it as 220.127.116.11. But you aren’t going to remember that. So instead, when you enter that into your browser, your computer asks the DNS system to give it the correct number, aka the IP Address. And how does it know? Well, it asks. It asks its upline, which then might ask its upline, etc. until it finds a DNS server that knows the correct address. Then the answer gets cascaded down to your machine, which then knows where to go.
But what would happen if your DNS server lied to you? What would happen if you asked for www.yahoo.com, and it came back with 18.104.22.168? Your browser address bar would still show you http://www.yahoo.com, but the actual website wouldn’t be Yahoo’s. But what if the webserver at that address was mocked up to look like Yahoo’s site? Well, now we have some real trouble, because you, as the user, would never know that you were entering your Yahoo username and password into a site that wasn’t Yahoo, and you’d be giving the owner of that fake-site your real Yahoo username and password.
And what would happen if it wasn’t Yahoo they hijacked, but Wells Fargo, Bank of America, PayPal, etc…? See the problem?
That’s what DNSChanger does… or did. Once installed on your system (and it infects both Windows and MacOS), it changes your DNS servers to ones that lie. They send you to custom-crafted websites made to look like other real sites, in order to steal your account information.
Now the good news is that the FBI and several foreign governments stopped it! Operation Ghost Click resulted in a number of arrests, and best of all, they got the fake DNS servers. And then they did a smart thing: They decided to fix those fake DNS servers, and make them real DNS servers, so that all the machines infected with it would just start working properly. Users need never know that their machines were infected, because the infection amounted to nothing.
But alas, bureaucracies can never leave a good thing alone. The German Federal Office for Information Security has decided that, on March 8, 2012, those fake-now-good DNS servers will be taken down. So now, and this is the reason I’m posting this, on March 8, many people will suddenly find themselves unable to use the Internet. If this happens to you, your machine is probably infected.
If that happens to you, you can call your local IT service company, or try to remove it yourself. Here are some links to get you started.