JPCERT-AT-2012-0008 JPCERT/CC 06.03.12 (First edition) 07.03.12 (Updated) <<< JPCERT/CC Alert 06.03.12 >>> Infections by Malware which Rewrites DNS Settings (DNS Changer) https://www.jpcert.or.jp/at/2012/at120008.html I. Overview JPCERT/CC has obtained information regarding malware which rewrites DNS settings (DNS Changer). The DNS Changer malware was first detected in 2007. Currently, several tens of thousands of PCs worldwide are infected with DNS Changer. The number of infected computers located within Japan is also high. In November 2011, the United States Federal Bureau of Investigation (FBI) seized rogue DNS servers, replacing them with non-malicious DNS servers. However, it plans to shut these DNS servers down on March 9, 2012 (Japanese time), so PCs infected with DNS Changer may not be able to view web sites, send e-mails, etc. on or after March 9, 2012. *** Update: Added on 07.03.2012 ************************************** DNS server operation has been extended by approximately 120 days as a result of a judgment by a US district court. ********************************************************************** II. Confirmation Method Refer to the procedure below to confirm the DNS server information configured in PCs. 1) Checking DNS configuration information in Microsoft Windows 1. Start the command prompt. (for Windows 7): Click "Start Menu" - "Search Programs and Files". Enter "cmd.exe", and click the displayed program. (for Windows XP): Click "Start Menu" - "Run...". Enter "cmd.exe", and click OK. 2. At the command prompt, enter "ipconfig /all", and press Enter. 3. Check for the lines in the displayed results that contain "DNS Servers" (several IP addresses may be specified). * Check for each interface when multiple interfaces are used (wireless LANs, wired LANs, etc.). * Please refer to the following site, which also contains the DNS configuration information confirmation procedure. Checking for DNS Changer Malware http://dcwg.org/checkup.html 2) Check if the DNS server IP addresses confirmed in 1) fall within the following IP address ranges. (Rogue DNS server IP address ranges) 85.255.112.0 - 85.255.127.255 67.210.0.0 - 67.210.15.255 93.188.160.0 - 93.188.167.255 77.67.83.0 - 77.67.83.255 213.109.64.0 - 213.109.79.255 64.28.176.0 - 64.28.191.255 If any of the DNS servers have an IP address that falls in one of the above IP address ranges, the PC may be infected with DNS Changer. Refer to III and implement the solution described therein. III. Solution If there is a possibility that the PC has been infected with DNS Changer, perform the solution below. - Disconnect the PC from the network. Follow the instructions of the system administrator in confirming if the PC is infected with the malware. * PCs infected with malware may have downloaded other malware, so PCs infected with one type of malware may be infected by other types of malware as well. - Change the PC's DHCP and IP address settings so that a valid DNS server's IP address is used. The FBI has also confirmed a variety of DNS Changer that changes router DNS settings. If a PC DNS Changer infection is detected, also check if the router(s) used by the computer are also infected. For more information, refer to the following: DNS Changer Update (NANOG Security BoF) http://dcwg.org/docs/DNS_Changer_NANOG54.pdf III. References Federal Bureau of Investigation (FBI) DNSChanger Malware http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf US-CERT DNSChanger Malware http://www.us-cert.gov/current/index.html#operation_ghost_click_malware IIJ-SECT Infections by DNS Changer Malware https://sect.iij.ad.jp/d/2012/02/245395.html NANOG DNS Changer Update (NANOG Security BoF) http://dcwg.org/docs/DNS_Changer_NANOG54.pdf If you have any further questions or information regarding this alert, please contact JPCERT/CC. ________ Revision history 06.03.12 First edition 07.03.12 Extension added to "I. Overview" section ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/