A massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. ” - FBI.gov

In the aftermath of the massive DNS changer scam, perpetrated by six Estonian nationals and one Russian national (read more here and here), the FBI states that after July 9th thousands may lose their access to the internet due to the DNS changer virus. The Rove Digital’s malicious DNS servers and virus would redirect users to factitious websites that were located on the Cyber criminals (Rove Digital) own servers. This allowed them to collect over 14 million in illegal income by directing users to a doppelganger version of a site and then selling them fake goods and services and advertising legitimate goods through deceptive means.

User computers that still are infected (over 350,000 worldwide according to the FBI) are still able to connect to the internet through “safe servers” the FBI has set up. The problem is that if the users do not get the DNS changer virus off of their computers before the 9th of July (the safe server shut down date) then the virus would not allow users to access the internet.

Do you have the DNS changer virus?

How do you know if you have been infected by the DNS changer virus? The FBI has set up an easy scan that will let you know if you are infected within seconds. U.S. Residents can visit http://www.dns-ok.us/  and for those outside the U.S. you can visit one of the sites below.

URL

Language

Maintainer

www.dns-ok.us

English

DNS Changer Working Group (DCWG)

www.dns-ok.de

German

Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)

www.dns-ok.fi

Finnish, Swedish, English

CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.

www.dns-ok.ax

Swedish, Finnish, English

CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.

www.dns-ok.be

Dutch/French

CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.

www.dns-ok.fr

French

Le CERT-LEXSI est la division de veille et d’enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.

www.dns-ok.ca

English/French

Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)

www.dns-ok.lu

English

CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT – CERT) coordination center for the Grand-Duchy of Luxembourg

www.dns-ok.nl

Dutch

SIDN (the Foundation for Internet Domain Registration in the Netherlands)

dns-ok.gov.au

English

CERT AustraliaStay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information

dns-changer.eu

German, Spanish, English

ECO (Association of the German Internet Industry)

How do I get rid of the DNS changer virus?

“Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA; educational institutions; non-profit organizations; commercial businesses; and individuals. ”
-FBI.gov

The FBI in cordination with several other internation security and government agencies have also set a guide up to help with removing the DNS changer virus available at http://www.dcwg.org/fix/. In this guide they suggest two routes to safely removing the DNS changer virus. First when scanning if you are infected the scan will explain steps to remove the virus on that page, alternatively they suggest using the virus removal and virus cleaner software below. We can also remove the redirect virus for you.

-more about our virus removal service.

Hitman Pro (32bit and 64bit versions)

http://www.surfright.nl/en/products/

Kaspersky Labs TDSSKiller

http://support.kaspersky.com/faq/?qid=208283363

McAfee Stinger

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Microsoft Windows Defender Offline

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Microsoft Safety Scanner

http://www.microsoft.com/security/scanner/en-us/default.aspx

Norton Power Eraser

http://security.symantec.com/nbrt/npe.aspx

Trend Micro Housecall

http://housecall.trendmicro.com

MacScan

http://macscan.securemac.com/

Avira’s DNS Repair-Tool

http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 

How can I protect from the viruses and malware like the DNS changer virus?

Prevent and protect from DNS changer virusHaving a great computer security system along with safe browsing habits are great places to start. “Computer viruses are a dangerous and constant threat for pc and mac users. Knowing how to protect your computer, your files, and identity online can be tough. With this article we hope to provide some basic tips on how to prevent computer viruses and how to protect you and your computer from viruses. ” Excerpt from our guide to protecting yourself from computer viruses. Read the full article here.

Can my ISP (internet service provider) help me with this infection?

Generally speaking it does fall outside of most ISP’s support scope. This means they can only relay customers to*LINK* virus removal services that can help with this type of problem. The reason the ISP’s do not support this type of issue is it is not actually their service causing the problem but the user’s computer. The following ISP’s do have information available through their websites that can help users resolve this problem.

ISP

Page

AT&T

8 Suggestions for Mitigating and Preventing DNSChanger Malware in your Enterprise – What Can Help You Avoid Being a Victim

Bell Canada

Important information about DNS Changer malware

CenturyLink

CenturyLink DNSChanger Customer Notice

Comcast

DNS Changer Bot FAQ

COX

COX DnsChanger Malware Information

Verizon

Verizon’s Virus Help Website for DNS Changer Malware

So who is Rove Digital and how did this happen?

The Rove digital group used Rogue domain name system servers and malicious software to first infect computers across the world with the intent of rerouting users to false websites. The DNS changer virus would also disable anti-virus software from recieving updates, so that it could avoid detection. This type of virus and malware (click hijacking, dns redirection, and advertisement fraud) is not a new threat. This type of malicious software and re-direction has been used many times before, but those ones did not affect so many over so long of a time.

Apparently the group of conspirators masqueraded as legitimate publisher networks. These networks assist website owners register as advertisers for various products and services. As a fake publisher network the Rove Digital group negotiated deals with ad brokers (groups that help companies find publishers and publisher networks) to advertise goods and services for a fee.  After hijacking millions of computers worldwide they were able to syphon millions through advertisement fraud.

Let your friends, neighbors and businesses know about this dangerous threat. Make sure to have them check their computers. Not only to avoid the temporary loss of the internet and the inconvenience that brings, but to further check your computer for more viruses and malware, that piggybacked the DNS changer virus, and may be even more dangerous than false advertisements. Might this remind us that no one is safe from viruses that can both decieve us into providing financial data and steal it from our computers.