DNSChanger malware shutdown affects few Canadians

FBI shuts down servers keeping malware-infected machines connected

CBC News

Posted: Jul 9, 2012 5:03 AM ET

Last Updated: Jul 9, 2012 5:21 PM ET

An FBI illustration showing how a DNS server converts a domain name typed into the web browser on your home computer into a numerical address that allows your computer to find the corresponding website. (FBI.gov)

Two of Canada's largest internet service providers, Bell Canada and Rogers Communications, say their customers were not significantly affected by Monday's shutdown of the temporary FBI-operated servers in the U.S. that had been keeping Canadian web users safely attached to the internet.

An estimated 10,000 Canadian internet users were said at one point to have fallen victim to the DNSChanger virus that had taken over computers worldwide.

But "from what I've been able to determine, Bell has received less than a dozen calls from customers today," Bell spokesman Albert Lee said in an email.

"Our IT security team continues to monitor the situation and exchange information with other providers, but we have not seen a significant impact."

Lee said the company estimates that 1,000 Bell customers were potentially affected by the shutdown of the temporary DNS servers that the FBI had been keeping in operation since November 2011 as part of Operation Ghost Click.

Rogers Communications said it had also had some calls about the DNSChanger virus on Monday but did not specify how many. Both companies said they had contacted customers who they thought could be affected in advance.

Bell had also set up an information page about the malware.

Less than 1 per cent of Canadian IP addresses affected

As of July 8, there were about 210,851 unique IP addresses worldwide still using the temporary servers, according to the DNSChanger Working Group, which had been helping the FBI monitor the temporary servers.

Of those, 41,557 were in the U.S. and 7,289 in Canada, with the latter accounting for only "a fraction of one per cent of all Canadian IP addresses," according to a spokesperson for Public Safety Canada, which has been working with the Cyber Incident Response Centre to inform the public about the issue.

Many of those who were surprised to find their home computers cut off from the internet Monday took to their mobile devices instead, posting messages of frustration and confusion on Twitter and Facebook.

The servers were part of the FBI's investigation into a cybercriminal group that had, between 2007 and 2011, rerouted more than four million computers in about 100 countries through a system of false DNS servers. The virus manipulated these computers, getting them to bypass their usual ISP connection so they could be directed to fraudulent websites that promoted fake products.

At the end of the investigation, the FBI contracted the non-profit Internet Systems Consortium to replace the rogue DNS servers with clean ones and keep them operating temporarily so that the infected computers connected to them would not lose internet access when the rogue servers were shut down.

The FBI said it did its best to identify which machines were infected with the virus and to inform the relevant ISPs, but that it was unable to trace all instances of the virus.

Those users who removed the virus from their computers had their normal internet connections restored, but those who didn't continued to be rerouted through the temporary servers instead of through their internet provider's servers — until July 9, when those temporary servers were disconnected.

The FBI arrested six Estonian nationals in connection with the DNSChanger scam, and they have been charged with several counts of wire fraud, computer intrusion, conspiracy and money laundering. A seventh person, of Russian origin, remains at large.

According to the FBI, the cybercriminals, who operated under the company name Rove Digital, earned about $14 million US off the sale of illegitimate products and advertising on the fraudulent websites they were directing victims to.

One example of a typical application of the DNS scam the FBI cited was a website selling fraudulent Apple software to which users would be directed when clicking on the link for the official website for iTunes.

Remove malware or reformat

Unfortunately, those who lost their internet connection Monday have little choice now but to take their machines to a computer expert and have the malware removed, since they won't be able to directly access the online services designed to detect or remove the virus.

Alternatively, affected users can use an uninfected machine to try to download some of the free DNSChanger virus scan and removal software compiled by the DNSChanger Working Group at www.dcwg.org/fix/ onto removable media, like a USB flash drive, and use that device to disinfect the compromised computer.

A more extreme course of action would be to back up important data and wipe the hard drive clean and reformat it — or have this done by a computer technician.

Those who choose this route should keep in mind that if they don't back up files to a separate drive, they'll lose them, because reformatting cleans out all the files on a drive. The operating system and applications will also need to be reinstalled after reformatting.

Check DNS settings

If you are having trouble accessing the internet and are reading this on another device, you can check whether your computer has been infected with DNSChanger by identifying your DNS settings and comparing them against the list of known rogue IP addresses listed on the FBI or Public Safety Canada websites.

According to those sites, if your IP address falls within one of the following groups, your computer is infected with the virus:

85.255.112.0 through 85.255.127.25
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To find your DNS settings, Public Safety Canada recommends the following steps.

For Windows users:

Go to Start menu.
Select Run...
Type: cmd.exe [press ENTER].
Type in the black command window: ipconfig /all [press ENTER].
Search for the line that says "DNS Servers." Often, two or three IP addresses are listed.
Compare against list of rogue IP addresses.

For Apple users:

Go to System Preferences.
Select Network.
Select the connection used for internet access (typically, AirPort or ethernet).
Select Advanced.
Select the DNS tab.
Compare against list of rogue IP addresses.

Stay Connected with CBC News

Big Box Advertisement

Top News Headlines

Toronto mayor's brother says he never dealt drugs

Toronto mayor's brother says he never dealt drugs: The brother of Toronto Mayor Rob Ford has vehemently denied allegations in Saturday's Globe and Mail that he was involved in the illicit drug trade in the 1980s. more »

3 more suspects arrested in slaying of U.K. soldier: British police investigating the savage killing of an off-duty soldier in London have arrested three more suspects. more »
Hockey Canada votes to ban bodychecking in peewee hockey: Hockey Canada's board of directors voted to eliminate bodychecking from peewee-level hockey on Saturday in Charlottetown. more »
Neil Macdonald: How serious is Obama about curbing the drone surge?: In a key speech this week, the U.S. president set out a host of supposed new safeguards for America's controversial practice of remote-controlled rough justice. But as Neil Macdonald writes, the underlying rationale for drone use has not fundamentally changed. more »
Ontario man lost in Australian mountains has survival skills: The sister of an Ontario man who disappeared in Australia's Snowy Mountains nearly two weeks ago says she remains hopeful he will be found, partly because of his training as a Canadian Forces reservist. more »

Must Watch

Latest Technology & Science News Headlines

Venus, Jupiter and Mercury to perform Dance of the Planets

Venus, Jupiter and Mercury to perform Dance of the Planets: During sunset on Saturday, three planets will form a bright cluster in the western sky known as the Dance of the Planets. more »

1976 Apple computer sells for $668,000: An auctioneer says one of Apple's first computers — a functioning 1976 model — has been sold for a record $668,000 US. more »
3D printers give rise to 'desktop manufacturing': Customizable objects from plastic dollhouse furniture to medical prosthetics can now be designed and printed out by almost anyone at the press of a button, and is going to lead to an 'explosion of new stuff,' predicts author Chris Anderson. more »
Google Street View captures Galapagos Islands: Few have explored the remote volcanic islands of the Galapagos archipelago, an otherworldly landscape inhabited by the world's largest tortoises and other fantastical creatures that inspired Charles Darwin's theory of evolution. more »
King Richard III buried in 'untidy' grave: New information has surfaced in the odd tale of the British king buried in a car park. King Richard III's remains, which were discovered August under a parking lot in Leicester, England, were laid to rest in a grave researchers are now saying was "badly prepared" and "untidy." more »

More Headlines »

Bob McDonald's Blog

Chris Hadfield: The gravity of gravity May. 17, 2013 9:58 AM After five months of being Superman and a media superstar, Canadian astronaut Chris Hadfield is now beginning the challenging task of adapting his mortal body and brain to life back on Earth.