By 2:01 pm this afternoon the “internet doomsday’ promised over the weekend will become a reality for some unfortunate denizens of the internet. With hundreds of thousands of computer users potentially facing a blackout it looks like up to 6000 Australian users are in line to have their connection severed.
The seeds of this rather grim predicament were sown in March earlier this year after US authorities nabbed six Estonians and one Russian national, the alleged ringleaders of Ghost Click which netted an estimated $14 million in bogus Internet advertising revenues, while infecting some four million computers worldwide.
Here’s how the malware, dubbed DNSChanger, works.
The malware essentially changes the Domain Name System (DNS) settings on the compromised computer. DNS can be best described as the system that converts domain names into the numerical Internet protocol (IP) addresses. When a domain name is entered into a browser address bar, a computer checks into DNS servers, operated by ISPs, to determine the IP address for the website, which is then used to make the connection.
As the name suggests, DNSChanger manipulated the DNS settings of a computer to allow the Ghost Click to control which websites a computer connects with on the internet It certainly did its job before the FBI busted the ring.
The current blackout scenario is a result of what happened next and actually was scheduled to happen a lot earlier. Immediately after the bust US authorities had set up their own Domain Name System (DNS) servers to compensate for the rogues used the cyber criminals, however, this was always designed to be a temporary fix. These servers were originally stipulated to be shut down in March and were given a stay of execution by the US Attorney’s office. The date decided on by the authorities was July 9 and here we are.
The idea was that the July deadline provided sufficient time for the identification and clean-up of infected computers. Unfortunately, the latest research proves otherwise with at least 300,000 computers still being redirected to the rogue DNS servers now being controlled by the FBI.
So if your computer happens to be one of these, then you are looking at complete loss of connectivity, that is until you fix your DNS settings.
The first port of call for any user should be the DNS-OK site run by the Australian Communications and media Authority and CERT, which should immediately tell you if you have a problem.
A number of telcos, including Telstra are providing another temporary network solution that should ensure that those infected don’t lose access by redirecting traffic away from the DNS servers marked for deactivation. Once again these measures are all about providing enough time to those affected to remove the malware and fix their DNS settings.
Finally, for those unlucky enough to lose their connection later today, the good folks at the DNS Changer Working Group (DCWG) have a step by step account of how to fix the problem. Meanwhile, check out the video from Sophos’ Paul Ducklin which also outlines the remedial process.