The highly anticipated DNS Changer D-Day came and went earlier this week. On Monday July 9th, the DNS servers that had been acting as temporary hosts for users infected by the DNS Changer malware were taken offline. But did the affected users lose their Internet access as a result? According to an investigation by eSecurity Planet, that didn’t quite happen.
The Internet Systems Consortium (ISC) had been tasked by the FBI to operate replacement DNS servers — and those DNS server were in fact taken down on July 9th. However, U.S.-based ISPs have stepped in to cushion the fall by re-routing users to ensure they don’t lose their Internet access.
Among those ISPs continuing to operate re-direct users even after the July 9th takedown is U.S telecom giant Verizon, as well as CenturyLink and Cox Communications.
“Verizon has set up a soft-walled garden so that our customers are not impacted as we continue a concerted and multipronged communications effort,” Heather Wilner, Verizon Public Relations spokesperson told eSecurity Planet. “We will continue to provide extended support to our customers during the month of July — while continuing to instruct them on the necessary actions they must take to resolve the issue on their computers.”
Wilner added that the overall impact of DNS Changer on Verizon this week has been minimal. She noted that some calls were received by Verizon’s customer service centers, but very few Verizon customers were affected.
The DNS Changer malware changes a computer’s DNS settings in order to redirect unsuspecting users to fraudulent and harmful websites. DNS is the critical Internet technology that matches a domain name (i.e., example.com) with the IP address location of the actual server. When DNS information is changed, a user can be taken to a different location than the one they intended. The FBI took ownership of the command and control servers for the DNS Changer malware in November of 2011. Those servers were operated as a stop-gap measure by ISC until July 9th.
Verizon isn’t the only major U.S Internet provider that is continuing to provide DNS Changer redirect services. Both Cox Communications and CenturyLink confirmed to eSecurity Planet that they also provide the service. CenturyLink is one of the largest Internet Providers in the U.S. after completing the acquisition of Qwest for $22 Billion in 2010.
“To help protect our customers’ computers, and to ensure continued internet access, we are redirecting DNS traffic away from the malicious sites and sending it to CenturyLink-controlled DNS servers,” Mark Molzen, CenturyLink spokesperson told eSecurity Planet. “Doing so will enable continued Internet browsing, email, and other activities.”
Todd Smith, Director of Media Relations for Cox, told eSecurity Planet that his company worked closely with the FBI on this case in the fall and immediately established a redirect for infected customers to Cox DNS servers.
“Therefore, no Cox customers were impacted when the FBI discontinued managing the servers seized in the arrest,” Smith said. “As with other malicious attacks, Cox’s Safety Team will contact each infected customer in the coming months via phone, email, and in-browser notification to notify them of the infection and help ensure an optimal user experience long term.”
Less than 1 Percent of Users Still Infected
While Cox is continuing to operate DNS for those affected by the DNS Changer malware, the overall numbers are small. According to Smith, less than one percent of Cox customers are infected by this virus.
The small number of infections is echoed by cable Internet giant Comcast. Comcast spokesperson Charlie Douglas told eSecurity Planetthat Comcast had estimated that far less than even 1/10th of 1 percent of its customers would be affected.
“Since the FBI (via the Internet Services Coalition) disconnected the servers associated with this botnet, we’ve only received a miniscule number of calls, but our Customer Care and Security Assurance Teams are standing by and ready to help,” Douglas said.
DNSSEC: Not a Cure for DNS Changer
The DNS Changer Malware isn’t the first time users around the world have been alerted to potential risks with DNS. In the summer of 2008, security researcher Dan Kaminsky captured the world’s attention with a critical DNS flaw that could have potentially crippled the ongoing operation of the Internet as a whole. The flaw was patched with a band-aid update to major DNS servers, though the long term solution was supposed to be a technology known as DNSSEC. With DNSSEC, DNS information is cryptographically signed to provide an additional layer of integrity and authenticity.
Nonetheless, DNSSEC would not have provided an adequate defense against the DNS Changer malware, says Roger Thompson, chief emerging threats researcher at ICSA Labs.
“While it would be great if everyone had implemented DNSSec, it’s not easy, and probably not cheap,” Thompson said. “Even after all that, it might not have prevented an issue like DNS Changer.”
Ultimately the DNS Changer technology is malware that affects Microsoft Windows users. To help prevent future outbreaks, Microsoft has multiple tools including Windows Defender Offline.
“We also encourage all computer users to exercise safe practices to protect their computers from becoming infected with malware, such as running up to date software (for Windows users, this means also ensuring Windows Update is turned on to automatically update your Windows software), firewall protection and anti-virus/anti-malware protection,” Microsoft said in a statement emailed to eSecurity Planet. “You should also exercise caution when surfing the web, clicking on ads or email attachments that may prove to be malicious.”