Ever since the internet became popular, there has been Trojan horse software trying to spy on valuable user data. The "DNS Changer" malware may soon cause many computers to lose their internet connection on March 8th 2012.
[UPDATE] On March 5, the U.S. District Court extended the deadline for shutting down DNS services for affected computers by four months, to July 9, 2012. This gives you 120 additional days to identify and clean affected computers in your network before those machines are disconnected from the internet. Originally, this would have happend already this Thursday.
Many Systems Affected
There are different kinds of Trojan horse software. Usually, such malware sends back sensitive information, e.g. login data, to a group of specific servers owned by the malware author, where all information is collected and potentially reviewed and misused (for example, for fraudulent credit card orders, etc). The "DNS Changer" malware goes one step further: It "hijacks" a computer's DNS settings, secretly leading the user to fraudulent sites when surfing the web. The FBI speaks of more than 4 million computers infected in more than 100 countries since 2007.
A Temporary Solution Only
In November 2011 the hackers behind this malware were caught, and the FBI took over the fraudulent DNS servers and converted them into "good" DNS servers. Since then, users with infected systems have been able to use their computers normally, getting correct DNS resolutions. However, their systems may still be infected by the "DNS Changer!" Enforced by law, the FBI will shut down those formerly rogue DNS servers by March 8th. Systems still using them will not be able to connect to a DNS server and will, therefore, in effect be cut off of the internet, at the latest on that day.
Check Single Computers Manually
There are many software products available to remove the malware and it is, of course, always a good idea to keep your anti-virus solution up-to-date. However, the "DNS Changer" might have even manipulated the DNS configuration of certain hardware routers, in the event standard credentials were not changed!
There are websites available which can check single computers for DNS infections. For example, German BSI, together with Deutsche Telekom, created a simple "red/green" test available at http://www.dns-ok.de/.
Check Your Network with PRTG Now
But what if you have to administer an entire network?
We recommend you monitor your internet traffic and check if there are any requests to one of the DNS servers used by the "DNS Changer". If you have switches or routers supporting NetFlow, sFlow, or jFlow, this can be done easily using one of PRTG's xFlow sensors. Alternatively, you can set up a SPAN port on your router and use PRTG's Packet Sniffer sensor to monitor the traffic.
Within the sensor settings, simply filter traffic directed to the formerly rogue DNS servers into a dedicated channel and keep an eye on this sensor. The FBI has released a list with the respective DNS ranges (PDF). If there is traffic to one of these addresses, you would know there is at least one infected system within your network. If your network is affected, PRTG's Toplists can help to further analyze the issue, in order to find the origin of these requests.
For example, set up a NetFlow V9 (Custom) sensor using the following Channel Definition:
#1:Public DNS Servers
#2:Rouge DNS Servers (as reported by the FBI)
In the Public DNS Servers channel list, replace the IP addresses with your own DNS servers and, if necessary, add or remove entries in the list. The example above shows DNS servers of Google and OpenDNS.
You can also set Include Filters to only monitor DNS traffic (or your non-DNS traffic will be summed up in the channel called "Other.")
Watch Your Sensor
PRTG will start monitoring immediately after creating a new sensor. As long as your sensor does not show a Rouge DNS Servers channel, no malicious DNS traffic is being detected.
This kind of network check can be set up even when using the Freeware or Trial versions of PRTG! Download your copy today and make sure your network is not infected.