Doomsday virus: are you vulnerable?
About a quarter-million computer users around the world are at risk of losing Internet access today because of a malicious software - 'DNS Changer' that has infected computer across the globe. Is your computer infected? Read on.Updated: Jul 09, 2012 02:10 IST
About a quarter-million computer users around the world are at risk of losing Internet access on Monday because of malicious software at the heart of a hacking scam that US authorities shut down last November.
Some blogs and news reports hyped the risk of an outage, warning of a potential "blackout" and describing the Alureon malware as the "Internet Doomsday" virus.
Yet experts said only a tiny fraction of computer users were at risk, and Internet providers would be on call to quickly restore service. They said they considered the threat to be small compared with more-prevalent viruses such as Zeus and SpyEye, which infect millions of PCs and are used to commit financial fraud.
The viruses were designed to redirect Internet traffic through rogue DNS servers controlled by criminals, according to the FBI. DNS servers are computer switchboards that direct Web traffic.
For those living in the US, internet providers, including AT&T Inc (TN) and Time Warner Cable (TWC N), have made temporary arrangements so that their customers will be able to access the Internet using the address of the rogue DNS servers.
What is DNS?
DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other.
So simply put, when you enter a website url, say www.hindustantimes.com, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website.
Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. Without DNS and DNS Servers you would not be able to access websites, send e-mail, or use any other Internet services.
What's the attack about?
Since 2007, cyber criminals, under a company name 'Rove Digital', distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
These criminals learnt that having access to a user's DNS can help them redirect, or change the way a user uses the internet. This, by installing a malware on the users system that would change the computers DNS settings and redirect the user to a fradulent site.
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in the United States and across the world.
What this simply did was altered the way you used the internet. The malicious DNS servers would give you fake, malicious answers, redirect you to dangerous links, alter your search results on search engines as well as promote fake and dangerous products through e-marketing.
As every web search starts with DNS, the malware showed users an altered version of the Internet.
On November 8, 2011, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”.
The United States charged seven people for orchestrating the worldwide Internet fraud. Six - Timur Gerassimenko, 31; Dmitri Jegorov, 33; Valeri Aleksejev, 31; Konstantin Poltev, 28; Anton Ivanvov, 26; and Vladimir Tsastsin, 31 were arrested in Estonia, while the seventh- Andrey Taame, who was living in Russia, is still at large.
When authorities took down the rogue servers, a federal judge in New York ordered that temporary servers be kept in place while the victims' machines were repaired.
The temporary servers will shut down at 12:01 am on Monday, July 09, 2012 which means the infected PCs that have not been fixed will no longer be able to connect to the Internet.
The FBI has claimed that the virus named 'DNS Changer' will cause over 350,000 computers to lose web access.
Below are some images that will help you understand what the virus does.
Has your computer been infected?
Technology enthusiasts and cyber security firms across the world have come out with an easy-to-detect system, for users to know if their computer has been affected by the virus or not.
Like the image below, if the image you see is green, your computer has not been infected with the virus. If it is red, then your computer has possibly been violated and infected by the DNS Changer.
To check, click here.
If you are infected with the virus, then you've got a longer, but not impossible, process ahead of you. "It's a very easy one to fix," said Gunter Ollmann, vice president of research for security company Damballa. "There are plenty of tools available."
How to fix your computer:
Many of the machines that remain infected are probably not in active use since most victims were notified of the problem, said security expert Johannes Ullrich, who runs the Internet Storm Center, which monitors Web threats.
The DNS Changer Working Group (DCWG) said that those infected with the virus should first back up any important files.
One can do that fairly easily with an external hard drive or even a thumb (pen) drive.
Scanning the computer regularly for viruses is a good idea to make sure that virus definitions are up-to-date, the group said.
The following steps will help you determine if your computer has been affected or not:
If you are using a Windows computer, open a command prompt. This can be done by selecting Run from the Start Menu and entering cmd.exe or starting the command prompt application, typically located in the Accessories folder within Programs on your Start Menu.
At the command prompt, enter:
Look for the entry that reads “DNS Servers……….”
The numbers on this line and the line(s) below it are the IP addresses for your DNS servers.
These numbers are in the format of nnn.nnn.nnn.nnn, where nnn is a number in the range of 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the table above.
If the IP addresses of your DNS server appears in the table above, then the computer is using a rogue DNS.
If you are using an Apple computer, click on the Apple in the top left corner and choose System Preferences. Then, from the Apple System Preferences window, choose Network.
The Apple Network pane will show a number of possible connections on the left side. Choose the one that is active for you and click on the Advanced button in the right lower corner. Then choose DNS from the options to show the DNS servers you are using. Compare them with the list above.
The group also recommends people to use multiple tools to make sure they have a wider net of virus definitions to choose from.
Information on how to identify and clean up infections can be found on a website that a group of security firms and other experts set up: www.dcwg.org
You could also watch the video below on how not to lose your internet connection due to the virus.
(With inputs from Reuters, UNI, FBI, DCWG and other agencies)
First Published: Jul 08, 2012 20:34 IST