March 8, 2012: The impending Internet Doomsday effect on India

		As FBI prepares to shut down DNSChanger Temporary Severs we do a reality check on the impact and rectification measures
		Come March 8, 2012 and for millions around the world Internet will be forcibly shut down. This comes as a consequence of a virus that got so big that it infected millions of computers and is still looming large. The case goes back to 2007 when six Estonian men got together to create a botnet to spread DNSChanger malware that tapped into fraudulent servers, directing Web users to unintended - and sometimes illegal - sites. As a part of Operation Ghost Click, FBI took control over the botnet’s command and control servers in November, 2011 and replaced the rogue servers with temporary legitimate servers that were allowed to run only for 120 days – a deadline that is fast running out. The propagation of DNSChanger was no different from that of other malware. The malware authors learned early that by controlling a user’s DNS servers, they could control and interfere with the user’s Internet browsing habits. This was carried out by manipulating online ads through clickjacking. The victims were unaware that their PCs had been compromised – or that the malware turned their PCs defenseless to a swarm of other viruses. To understand how a DNSChanger works it helps to explore what DNS means and who the stakeholders are. Domain Name System (DNS) is an Internet service that converts domain names into the numerical Internet Protocol (IP) addresses that allow computers to communicate with each other. When you enter a domain name for example, www.india.gov.in in the address bar of your browser, your computer contacts DNS servers to determine the IP address for the website. This IP address is used to locate and connect to that website. DNS servers are operated by your ISPs (Internet Service Providers) and are included in your PC’s network configuration. DNSChanger belongs to a class of malware that works in one of the two ways described below: Alters the user’s DNS server settings to replace the ISP’s good DNS with rogue DNS servers operated by the criminals. Internet devices like routers or home gateways are the targets. If you have a factory set password that is usually easy to break, then the chances are high that the malware can infect the system or a network by changing the DNS settings inside the router as well. Additionally what the malware also does is that it prevents your PC from obtaining operating system and anti-malware updates – both crucial for protecting your PC from cyber threats.  This also widens the possibility of more malware attacks. When FBI made a crack-down on this botnet, approximately 4 million PCs in more than 100 countries had been compromised. The criminals had managed to mint $14 million in illicit fees! The replacement servers provided by the FBI were not supposed to remove the malware or other nefarious viruses that it may have aided – from infected computers. The sole purpose was to ensure that users do not lose DNS services. Over half of Fortune 500 companies and 27 out of 55 government entities have at least one PC or router still infected with DNSChanger. Translating to about 500,000 live infections! Our malware analysis team has reported over 70 variants to DNSChanger malware and thousands of positive cases in India alone. Before the panic attack sets in, it is wise to understand the ways in which you can deal with this issue.  First, the DNSChanger malware must be removed from the system/s. One should take a back-up of all important data and then remove the malware using good Antivirus software. After this has been carried out, the DNS settings on all affected devices must be set to their correct values. You can seek assistance from your ISP for accurate DNS settings to be used. If a network has been affected then the DNS settings of all PCs on that LAN should be rectified. There are no sure fixes to the malware. There are several tools available that will allow you to change the DNS Settings but the rogue entries still remain in the router. To restore settings in the router you would have to either consult your product manuals or contact the manufacturer. Quick Heal has created a free and dedicated webpage for users to determine if their PC is affected by DNSChanger malware, to check please visit:  http://www.quickheal.com/chkdns

No internet starting March 8 ?? Not really!!

There are news going around that there will be complete blockage of the internet from Eight march. Well this is not the complete and true story.

Only the users which are affected with the DNS changer Trojan will be facing the Internet blockage and not all the users.

In order to clear some air regarding this, below is the brief description of the working of one of the DNS changer Trojan.

After execution of the sample, it simply changes the default DNS present on the system to some rouge DNS server and delete the copies of itself.

So whenever the user access any site suppose 'Google.co.in", the request is sent to the Rouge DNS server which uses the query to display relevant ads to the query. This is also used to stop the Antivirus from getting update.

FBI in November found one such Rouge DNS network. Taking down these system at that time could have resulted in complete stoppage of internet for those users having the rouge DNS.

FBI replaced the Rouge DNS server with the legitimate ones-- a measure the agency said to be in effect for 120 days [ i.e till Eight March ]. This is done so as to give some time to the infected users to clean up the system.

To verify whether you are infected by DNS Changer Trojan, do check your DNS Server ip [ Run-> Cmd-> Ipconfig /all ]
and if the DNS server's ip falls in between these range, then it is possible that your system is infected with the DNS Changer Trojan.



We kindly request all the users not to trust such news completely.