An Estonian company called Rove Digital was busted last November. Why? Because it was a front for the ad-fraud DNSChanger botnet. And ever since November, the USA's FBI has been responsible for the substitute DNS servers designed to keep compromised computers from being disconnected (and causing support call chaos).
Back in March, we wrote about the looming expiration of the FBI's authority. Fortunately, that authorization was extended until July.
According to Google, roughly half a million instances of DNSChanger still exist in the wild and the company recently began to notify people of the problem using this message.
The Shadow Server Foundation has an impressive visualization of infections:
So now you may find yourself asking: how can I check for a DNSChanger infection?
The DNSChanger Working Group has an extensive list of sites which will check for problems.
F-Secure Labs also has something to offer: DNS Check.
It's a script-based tool that can be used to reset problematic DNS settings.
DNS Check will scan to determine if the computer's DNS is configured to use the botnet's servers (now the FBI's) and can be used to reset default settings to DHCP, OpenDNS, or Google DNS.
FTP download: DNSCheck.zip
SHA1: 026b19bfbeeb2e02a9d4157f6fffa82ffcb62ab9 – DNSCheck.hta
SHA1: 5ddd867dc15a3398610868f06daec541278d8b16 – README.txt
SHA1: 2adedec5ceb4009d9b705cb6d9cb4c323dddc9a1 – admin_console.bat
SHA1: dcc8408c05cec84e4ac7420e6f7036c91e708ee2 – .\images\fsecure-logo.png
SHA1: a3630f948bb4d7b6c97318a50c5ad25fa85dca14 – .\images\icon.ico
On 01/06/12 At 04:05 PM