First published: 23rd May 2012
What would you do if you suddenly could not access the internet? No email, no web, just mysterious error messages. According to a spokesman for HKCERT, this might happen to around 800 to 1200 computers in Hong Kong on 9th July 2012.
Calling a technical friend, or your ISP would probably be high on your list, but you probably would not think to blame Estonian cyber-criminals who were arrested in November 2011. The arrests last year were the culmination of an investigation that started in 2006. The criminals were spreading malware known as Trojan:W32/DNSChanger, and building a network of infected computers. The infected computers were used for various lucrative activities including click fraud, selling dodgy pharmaceuticals and selling fake antivirus software. As its name suggests, the DNSChanger malware altered the Domain Name Server (DNS) settings on infected computers, pointing them at the criminal's servers so that, whenever any internet address was used, the criminals could control what site was reached. They could replace advertisements on sites victims visited, generating more income for themselves, install more malware, and prevent victims reaching genuine security sites.
The suspects were arrested and the controlling computers seized last November, so why is there still a problem? Every one of the about 4 million infected computers worldwide was still looking up every internet address using the rogue DNS servers. Shutting down the servers would have immediately "killed the internet" for them. Therefore, the FBI formulated a plan and obtained permission to continue running the servers (now providing good information) while efforts were made to contact the victims and clean up the infected machines. The initial permission lasted until 8th March 2012, but this was later extended until 9th July 2012. The effort has involved publicity and cooperation from ISPs, and over 90% of affected devices have now been cleaned. This still leaves about 350000, of which 800 to 1200 are in Hong Kong.
DNSChanger can infect Microsoft Windows and Apple Mac OS X operating systems, but it can also change the DNS settings on some broadband routers. The simplest method for checking whether your computer is infected is to visit a DNS Changer Check-Up webpage. Green is good, red, you have a problem. More details about this, other methods of checking and how to correct the DNS settings are on HKCERT blog and the DNS Changer Working Group website.
