The cyber trenches are awash today with news of DNSchanger malware. This is to elevate previous efforts to alert the public about the possibility that they could lose their internet services this coming Monday, July 9. DNSchanger malware takes control of a user's DNS, which cyber criminals use to direct unsuspecting users to fraudulent sites or simply to interfere with a user's online activities. Inarguably, these infected servers are going to be taken down, spelling trouble for thousands of users who will lose their internet connections. The Trojan changes the DNS settings to IP addresses in the following IP ranges:
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
According to reports, the problem surfaced when an online advertising scam, operated by international hackers, took control of approximately 570,000 computers worldwide. The FBI estimates more than half of these machines are still infected; 60,000 or more are believed to be in the United States. Infected machines have their antivirus software disabled while users experience slowness when surfing the Web. Several ISPs and companies including Google, Facebook and Comcast, have released notifications to their customers about this event.The FBI got involved as well and has set up a website, http://www.dcwg.org, for consumers to check their DNS. More information on DNSchanger malware is available here.
Here's a screenshot of a machine infected by the DNSchanger malware:
Checking this DNS IP in http://www.dcwg.org confirms it's rogue:
We may also see malware, spam, or scam campaigns associated with news about the DNSchanger malware. As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSchanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.
Websense® security solutions protect against all known variants of the Trojan.