Detecting the DNS Changer malware

January marked half-time for the folks at the DNS Changer Working Group (DCWG) who are now running the DNS servers originally used in the Rove botnet. Ever since a multi-national task force dismantled the gang in Operation Ghost Click in early November of 2011, the DCWG has been in charge of running the servers at the heart of the botnet in order to keep the infected machines that depend on these servers. In its four years of existence, Rove managed to infect around four millions machines.

Its mode of operation is simple: it replaces the DNS servers registered on the infected machine with its own servers, which allows it to redirect almost all of the traffic of the infected machines to its own services. This gives the attackers almost unlimited power over the infected machines, as they intercept almost all requests made to the Internet. They could for example, replace all download requests for a certain software, say iTunes, with a backdoored version of iTunes, that for all effects and purposes behaves the same, but installs for the attackers an additional remote administration tool. They were also able to reorder your search results and influence your purchase decisions, and to exchange the ads that are displayed to you favoring their affiliates.

But the DCWG’s mission is time-limited. In November they were tasked operate the servers for a total of 120 days. They will shutdown the servers in March and anybody who is still using those servers will then lose access to the Internet, as DNS is the service that translates your requests for a certain website, say “www.facebook.com,” into its IP address equivalent: 69.171.229.16. Once DNS stops working you will get a screen similar to:

Fortunately it is relatively easy to verify whether a machine is affected by Rove. All one needs to do is verify whether its DNS servers fall into the five ranges that were under control of the Rove operators. The easiest way to do this, at least under Windows is to run the Qualys BrowserCheck plug-in which we recently equipped with Rove detection capabilities (see screenshot).

If your machine shows as insecure under the DNS Changer heading, you need to perform a few simple steps to correct the situation. We provide more information on how to correct the DNS servers by clicking on the FixIt button, but basically you need to reset the DNS servers that you use. On Windows the Control Panel is used to modify the DNS servers. Click on Start, Control Panel, Network Connections, then right click on the icon that identifies your connection, and select Properties, then select Internet Protocol (TCP/IP) and click on the Properties button. This will bring you to the screen where the DNS servers are set. Here you should select Obtain DNS server address automatically and then close the Windows by pressing Ok and Close.

Once done you should register the infection at the FBI’s website, as it will help strengthen the case against Rove’s operators.

Author: Wolfgang Kandek, CTO at Qualys.