Posted: Jul 4, 2012
On July 9, thousands of Canadians and hundreds of thousands of people worldwide could be without access to the internet after the FBI shuts down temporary DNS servers used to assist victims of a massive internet fraud ring.
All computers that still use these servers will meet a virtual brick wall on July 9 and be unable to connect to the internet until their computers are cleared of the associated ‘DNSChanger’ virus.
The shutdown of the temporary DNS servers by U.S. authorities is the last stage in Operation Ghost Click, a two-year international investigation that officially ended in November 2011.
The FBI, in association with international law enforcement, managed to track and apprehend six Estonians using a ostensibly legitimate front company who had organized a sophisticated system of false DNS servers. These servers rerouted the web browsers of infected computers to sites of the hackers’ own choosing, some of which were fraudulent in nature.
The FBI and international law enforcement caught the people behind Rove Digital in 2011. (REUTERS/Chris Morgan/Idaho National Laboratory)Computers were forced to connect to the internet through these servers by a customized virus called DNSChanger that was distributed along conventional channels, such as infected emails, bad websites, and malware scripts.
When it broke up the hacking group in 2011, the FBI established temporary ‘clean’ servers in place of the bad ones so that computers infected with DNSChanger wouldn’t suddenly be cut off from the internet.
However, the contract to maintain these servers will end July 9, resulting in their shutdown.
“An extension has not been requested,” says Jenny Shearer, a spokesperson for the FBI’s National Press Office.
According to Paul Vixie, chairman and founder of the Internet Systems Consortium (ISC) that has been operating the temporary servers for the FBI, the fraud had snared nearly 650,000 machines worldwide, about 25,000 of which were in Canada. He says the scheme is also estimated to have netted nearly $20 million over four years for those behind the virus.
Canadians affected by DNSChanger (CBC News)Since November 2011, the number of computers still infected with DNSChanger has dropped substantially to 275,000 worldwide. In Canada, only about 7,000 machines are estimated to remain infected, as a result of efforts by the FBI and computer security companies to get users to follow instructions on how to check for and remove the virus.
However, for the thousands of users whose computers are still infected with DNSChanger, their machines will continue to redirect towards the DNS address supplied by the virus. They won’t be able to get online unless they clear the virus from their computer.
What is DNS?
To properly understand how the ring’s servers were able to operate for so long, it serves to understand the basics behind the technology. DNS is short for Domain Name System, a tool that converts numeric Internet Protocol (IP) addresses used to route traffic on the internet into text-based domain names that are easier for people to remember and type into a browser — i.e. the IP address 126.96.36.199 into http://www.CBC.ca.
The DNS is a vital support for how people interact with the internet, and many services like email or internet browsing would be severely crippled without it.
DNS servers hold IP addresses and their corresponding text-based domain names and form a hierarchy, with each DNS server connecting to both clients as well as higher-level DNS servers. Each server progressively holds a greater share of internet addresses, eventually reaching up to the primary 13 root servers that have access to every domain in the world.
The mechanics of the plot
According to Trend Micro, an internet security firm that assisted the FBI in its investigation, the servers were controlled through an IT company named Rove Digital in Tartu, Estonia.
In the indictment outlining the plan, the company was said to have used several elements to pull off the scheme. First, the false DNS servers were set up and opened an alternative route for computers to connect to the internet, as opposed to a user’s own Internet Service Provider’s DNS server.
In the second step, the indictment says the members of the team, one of whom is still at large, developed and disseminated DNSChanger, a tool that changed the infected computer’s default DNS servers to route to the false ones when browsing the internet.
When a user would enter the alphanumeric name for a site through their web browser or search engine, the fake DNS server that the virus rerouted the request to would provide an alternate IP address that led to a different website.
Some of the sites were in and of themselves legitimate, like H&R Block; others were more obvious frauds, like http://www.idownload-store-music.com, a non-Apple affiliated site which purported to sell Apple products. In the case of the former, the servers redirected requests from users who had intended to go to the IRS website, and in the latter, users had wished to go to the iTunes store.
As the IP address generally remains hidden by most web browsers, a typical user wouldn’t know why or how they were sent to a different online location than the site they originally intended to visit.
However, the fraud was only conducted for certain websites, allowing some other requests to continue on the DNS chain undisturbed. This made the manipulation harder to detect.
Victims of DNSChanger may not even know they’re infected until the FBI’s temporary servers go offline. (REUTERS/John Adkisson)The company, Rove Digital, is accused of making money from the nearly 650,000 infected computers by receiving ‘per-click’ revenue from advertisers, an otherwise legal method that rewards popular sites that refer users to sites being advertised, according to the official New York indictment and the FBI’s Shearer.
For each person who visited the advertising sites, the team is accused of making a small referral fee from the advertiser, eventually racking up millions in commissions.
What to do if you’re still infected
With users no longer being routed toward fraudulent sites after the FBI stepped in, and being sent to the temporary clean DNS server instead, the virus lost most of its bite. However, as long as it remains on a user’s computer, it will continue force a web browser to try and route through the temporary DNS servers, even when those servers are taken offline.
It also has the harmful effect of preventing some anti-virus software packages from updating their virus definitions, which is a problem for most people.
The DNS Changer Working Group (DCWG) is one of the primary resources on how to check for and remove the DNSChanger virus from a computer.
To help users identify and remove the virus, the Canadian Internet Registration Authority (CIRA), in collaboration with the Canadian Cyber Incident Response Centre (CCIRC) and the Canadian Radio-television Telecommunications Commission (CRTC), have also directed Canadians who believe their computers may have the virus to visit http://www.dns-ok.ca/. The website is designed to check if a computer is using an address that falls within the range utilized by the false DNS servers.