Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

'Nuke the box' - Push to clean up 300,000 PCs with DNSChanger virus

DNSChanger malware is often linked to the tenacious rootkit TDSS

Article comments

A campaign is underway to clean up as many as 300,000 computers infected with DNSChanger viruses that divert victims' traffic to sites that can further exploit the machines and their owners, but it's not clear that goal can be accomplished without drastic measures.

If a machine is infected with DNSChanger, that infection is often accompanied by a rootkit that is very difficult to remove, says Jose Nazario, senior manager of security research at Arbor Networks.

"The safest thing is to nuke the box and reinstall," Nazario says, meaning that the hard drive should be wiped and the operating system and applications reloaded. "Remediation is one of the toughest challenges we face."

But there are also removal tools that can remove the rootkit without having to reformat, says Barry Greene, the former director of Internet Systems Consortium, a volunteer group that has been working on the problem. "A paranoid security person is going to tell you [reformatting] is what you've got to do," Greene says.

DNSChanger has attracted attention since November 8, 2011, when a major botnet distributing the viruses under the corporate name Rove Digital was taken down by the FBI, NASA Office of the Inspector General and Estonian police. The takedown involved seizing servers in New York, Chicago and Estonia.

It also resulted in the arrest of six men who have face charges in the US related to the botnet.

Subsequent to the takedown, special DNS servers managed by Internet Systems Consortium have been put in place to properly handle DNS requests from infected machines. Without these servers, those machines would not be able to connect to sites on the internet.

The court order allowing these servers to adopt the IP addresses of the ones used by Rove Digital expires July 9, when they will be taken offline. A that point, machines infected with DNSChanger won't be able to reach DNS servers and so won't be able to reach websites.

The public relations push started this week by members of the DNSChanger Working Group urges computer users to check their machines for infection and remediate the problem before July 9. The group has set up a website where users can find out if their machines are infected, remove the viruses and protect the machines from future infection.

The process sounds simple, but it's unclear how effective the diagnostics are.

The group's website refers visitors to where a check is run on the machine that is connecting. But the results aren't conclusive.

After running the check, the site pops up this notice: "Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI's website at:"

The FBI site doesn't offer any more information about detecting whether machines are infected, but does refer back to

Greene says that the check for infection requires no software download to the machine being tested. Instead, the machine sends a DNS query to a site set up by the testers who look at the DNS record on the query to see whether it came from one of the special Internet Systems Consortium servers. If so, that's an indication computer is infected.

If a victim's ISP has set up its own DNS servers to handle requests from infected machines, the test site will consider that a legitimate DNS source and conclude that the machine is not infected.

The DNSChanger Working Group is compiling a list of ISPs that have set up their own DNS servers to intercept queries from infected machines so their customers can find out from the ISPs whether their machines are infected, Greene says.

He also says that many such ISPs have already mailed letters to their customers whose machines they suspect of being infected. Sending such notifications by email would be easily mistaken for phishing.

The PR push to get the remaining infected computers cleaned up created some unexpected problems for DNSChanger Working Group's website. Traffic jumped from hundreds of hits per day to millions, with 5,000 concurrent connections. The site crashed one day, but it has been beefed up in the meantime, Greene says.


More from Techworld

More relevant IT news


Nick said: Just nuke the boxes PERIOD These imbeciles are part of the problem that plagues the Internet With these freebie porn loving T A R Ds off the Internet spam will drop and things are much saver for the rest of us

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *