Machines (potentially up to 277,000 worldwide) still affected with DNS Changer malware will likely be cut off from the Internet on Monday, but there are some misperceptions floating out there about this malware that people should be aware of. People in charge of corporate security in particular should be paying more attention to this malware than they are. It’s really flying under the corporate radar and deserves to be on the screen.
DNS Changer malware changes the target computer’s configuration in order to perform a man-in-the-middle attack. Computers use a system called DNS, much like the old telephone white pages, in order to figure out the Internet address for domain names and web URLs. For example, “www.bit9.com” gets translated via DNS to the IP address ” 220.127.116.11″. With DNS Changer malware on the system, when you attempt to access your bank’s website, you might be redirected to a malicious version of the site. While it’s possible for DNS Changer to allow attackers to spoof a bank’s website, most often users are redirected to sites with lots of ads. Alternatively, ads are injected into the target website you were attempting to visit.
The FBI largely dismantled the malicious DNS infrastructure by replacing it with DNS servers that don’t perform the malicious redirection. However, that system is being shut off on Monday, July 9. This will leave most infected systems and possibly even some previously infected systems without DNS services. For most affected people this will amount to being shut off from the Internet. The FBI has been running a campaign to educate users, and if you’d like to check to see if you’re infected it’s recommendable to visit this site (before Monday): http://www.dns-ok.us/.
DNS Changer’s Big Brother
DNS Changer may at this point may seem little more than a nuisance, and perhaps rightly so. The perception is that this malware affects only individuals and small/home office setups, since some variations have features specially made for these environments. However, malware like DNS Changer doesn’t generally discriminate, and corporations should pay much more attention to it than they are. First, DNS Changer is often an indication of a prior infection that is much more insidious. TDSS/TDL4 is the name given to a very clever rootkit that is difficult to detect and very difficult to remove. Some variations of TDSS/TDL4 were instructed by their bot masters to download DNS Changer malware. So if a system is infected with DNS Changer, it’s quite possible that it is also infected with TDSS/TDL4. Malware often begets malware, and any time there is one infection, there may be more.
Additionally, whatever the infection vector, malware discovered in a corporate network needs to be paid close attention because it indicates a chink or perhaps a gaping hole in the corporate malware defenses. If you are one of the 12% of Fortune 500 companies estimated to still be infected with DNS Changer, then it’s likely that your corporate security could benefit from some serious scrutiny. Consider bringing in some outside expertise.
When Malware goes “Pop!”
If you should find that one or more systems fail to resolve domain names following Monday’s shutdown, don’t panic. This isn’t the beginning of a major malware campaign, it’s just the sound of DNS Changer going “pop!” However, do take this as an opportunity to review your security measures, and consider adding application control to your arsenal. Whitelisting can help prevent infections like these, even where traditional antivirus fails.