you're reading...
IT, Security

DNS Changer: 9th July 2012: Will you lose connectivity?


In 2011 viruses were distributed globally that forced computers to use a network of DNS servers run by a malicious organisation going by the name of Rove Digital.
Although the organisation and its infrastructure was taken down by law enforcement authorities, the DNS system they set up had to be temporarily replaced with a safe alternative to prevent (potentially) millions of users effectively losing the ability to use the internet.
That temporary replacement is being switched off on Monday, 9th July 2012.
You should check your systems this weekend to see if you are affected. The number of potentially infected systems seen was last reported 11/Jun/2012 and was just over 300,000. That makes it unlikely you are infected but still worth checking.
The website DCWG has been setup to help and advise on what to do if you are worried or want to check your system.
The DNS Changer World Group is there to help.

What is a DNS Server:

Simplistically, the Domain Name Service provides the link between the names we use for websites (and other services) on the Internet, such as “harlekwin.com” and the back end address actually used by network to route traffic, IP Addresses – such as ““.

Why attack this system?

A malicious DNS server is able to take your request and redirect it to a site of their choosing. This puts all sorts of systems at risk. From a personal point of think about a “spoofed” online banking site and the damage that could cause. That’s just the start too and many services rely on DNS. The effects on business could be even more dramatic. Government system should be making other checks to ensure that they are talking to the correct systems (thus fewer risks) but not necessarily.
It is scary how, very nearly, this network could have been one of the most effective malicious assaults on the Internet.

What will happen?

If you are infected, on the 9th July 2012 and there after (if not fixed) you will be unable to resolve domain names. What you will actually see depends on your browser or system but it will be a variant of “Website could not be found” or “This page is not available” “Cannot open page”. You get the idea. This would happen for whatever website you try, even Google, Microsoft, Facebook etc.

Why not keep the temporary system running longer?

Good question.
Essentially a legal point. The court order allowing the creation of this temporary DNS network expires at this time.
Although it is technically possible to continue, the system has been in place since November 2011 and it is inappropriate to provide a service for potentially virus infected system forever. The removal of the service should force the owners of the remaining infected systems to get their systems fixed.
Replacing the system with one that simply alerted the user that they are potentially infected is also feasible but my understanding is that this kind of redirection is illegal in many jurisdiction – even if effected for perfectly well intentioned purposes.

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: