Germany to shut down DNSChanger Trojan servers
Temporary DNS fix to be shut down after malware network closed
By Lucian Constantin | Published: 10:25, 24 January 2012
German authorities are advising victims of DNSChanger Trojan programs to fix their computers' Domain Name System settings using a free tool developed by antivirus company Avira, because the servers resolving DNS queries on their behalf will be closed down on March 8.
DNSChanger is a family of Trojans for Windows and Mac OS X whose primary function is to replace the DNS servers defined on the victim's computer with rogue ones operated by the malware's authors.
The DNS is a vital part of the Internet infrastructure and is used to resolve domain names into numerical IP addresses. By controlling DNS responses, the DNSChanger gang was able to redirect victims to rogue websites that distributed fraudulent software or displayed money-generating advertisements.
Related Articles on Techworld
The DNSChanger operation was shut down by the US Federal Bureau of Investigation in November last year following a two year long investigation. The authorities estimated the number of computers infected with this type of Trojan at 500,000 in the US and over four million worldwide.
The FBI worked with ISPs where the DNSChanger gang hosted its rogue DNS resolvers in order to temporarily convert them into legitimate servers. This decision was taken in order to provide victims with sufficient time to clean their computers without disrupting their Internet access.
On January 11, the German Federal Office for Information Security (BSI) announced that the temporary DNS resolvers put in place to service DNSChanger victims will be permanently shut down on March 8. The government agency worked with antivirus firm Avira to provide affected users with a tool that automatically resets their DNS settings to their default values.
"If your computer was infected at some point in time and it was using one of the DNS servers which are now controlled by FBI, after March 8, it will no longer be able to make any DNS requests through these servers," explained Avira product manager and data security expert Sorin Mustaca. "In layman's terms, you will no longer be able to browse the web, read emails and do everything you usually do on Internet."
The Avira DNS Repair Tool is distributed for free from the company's website, as well as www.dns-ok.de, a website operated by German authorities that can be used to determine if a computer is using one of the temporary DNS servers.
The downside of the tool is that it only works on Windows, and doesn't actually remove the Trojan. Users should first clean their computers with an antivirus program and then use Avira's tool to repair their DNS settings.
"Only the [network] adapters which are detected as manipulated will be changed," Mustaca said. "All others which don't have any signs of being altered by the malware will be left untouched."
Since the tool configures network adapters to automatically detect DNS settings via DHCP, it might not work for all network setups. If using the tool doesn't solve the problem, users should call their ISP and ask what their recommended DNS settings are.