[SingCERT] DNSChanger Clean DNS Servers Will Be Shut Down On 9 July 2012
- Published on Friday, 30 March 2012 15:05
[ Summary ]
In an operation known as Operation Ghost Click last year, US authorities investigated and arrested people who are allegedly involved in infecting millions of computers with a malware strain known as “DNSChanger”.
Users whose computers are infected are currently being directed to these servers maintained by the ISC. This arrangement will expire on 9 July 2012, and computers which are still infected may lose internet connectivity when the servers are turned off.
[ Background ]
DNSChanger is a malware that changes a user’s Domain Name System (DNS) settings, which enables criminals to direct unsuspecting users to fraudulent websites and interfere with their web browsing activities.
In November 2011, the FBI shut down a ring of cyber criminals believed to be involved in the spreading of DNSChanger malware. Four million users are estimated to be affected worldwide.
To avoid disruptions to users’ internet connectivity, the FBI have obtained a court order to authorize ISC to temporary maintain the DNS servers to allow users to clean their computers and restore their DNS settings.
On 9 July 2012, the clean DNS servers operated by Internet Systems Consortium (ISC) will be turned off.
[ Signs of Infection ]
The computer and/or router’s DNS server settings are pointing to servers from the following IP address ranges:
18.104.22.168 to 22.214.171.124
126.96.36.199 to 188.8.131.52
184.108.40.206 to 220.127.116.11
18.104.22.168 to 22.214.171.124
126.96.36.199 to 188.8.131.52
184.108.40.206 to 220.127.116.11
One may also check if he is affected by DNSChanger by visiting one of the following sites:
[ Resolution ]
Windows users may follow the cleanup instructions provided by the DNSChanger Working Group (DCWG) below.
Mac users may use a cleanup tool provided by SecureMac.
Router’s DNS server settings will need to be updated and secured after the computer has been cleaned up.
Detailed instructions for updating the DNS server settings and securing the router can be found in the manual provided by the manufacturer.
[ Prevention ]
Following are some tips to prevent infections in future:
- Install and keep anti-malware software up-to-date
- Install a personal firewall software
- Enable automatic updates on the operating system to keep it up-to-date
- Keep web browsers up-to-date and enable its security functions
- Set strong passwords and change them regularly
- Use a limited rights account for routine activities such as web browsing and reading of emails
- Exercise caution when clicking on links or email attachments
- Backup information regularly to another storage device such as external hard disk or thumbdrive
More information on staying safe can be found on Go Safe Online website: https://www.gosafeonline.sg/
[ References ]