What is DNSChanger and Why Should You Care?

On July 9th, hundreds of thousands of people around the globe may find that they can no longer access web sites without knowing the exact numeric address. So they won’t be able to go to Google.com. Instead they’ll have to go to, which can make getting around the web pretty difficult.

Who will be affected?
Around 300,000 computers around the globe are still part of a botnet called DNSChanger. The botnet altered DNS server settings on the infected computers to conduct click-fraud schemes. Last year the FBI and Estonian authorities arrested the gang behind DNSChanger. Since then, US Courts have authorized running “clean” servers for infected IP addresses. And those servers are set to be turned off on July 9th.

Am I infected?
Probably not. But go to http://www.dcwg.org/detect/ and find out now.

See, we told you that you probably weren’t infected.

On the odd chance you are, you can use our free tool to reset your settings. You should do this now even though the courts are likely to extend the servers for a bit longer. Why now? If you’re infected your computer is a “zombie” and vulnerable to new infections. And these new infections won’t be run by a court in the United States.

For more about DNSChanger visit the F-Secure Labs blog.



[CC image by Brad Montgomery]

More posts from this topic


Are Cyber Privateers Russia’s Secret Weapon?

Headlines exploded last week after US authorities published a report examining Russia’s alleged attempt to undermine last year’s US Presidential elections. While the report’s value in terms of “exposing” Russian hacking is debatable (there was very little information that had not previously been reported in publications such as this report on The Dukes), the list of Russian individuals facing sanctions over their involvement in cyber attacks against the US highlighted the possibility that Russia might be employing “cyber privateers” to conduct cyber attacks on their behalf. [protected-iframe id="2d5d36a42a15b9da8c2932929b38d31f-10874323-81725797" info="//platform.twitter.com/widgets.js" class="twitter-tweet"] For those of you who don’t know, Evgeniy Mikhailovich Bogachev is the man behind the infamous GameOver Zeus botnet. GameOver Zeus was a massive criminal enterprise that was taken down in a joint effort in 2014. Bogachev, however, remains at large, with the FBI offering up to 3 million dollars for information leading to his capture. The inclusion of a career cyber criminal on a list of sanctions created as a response to Russia’s cyber espionage activities highlights the role of private hackers working on behalf of Russian intelligence services (RIS). “It’s possible that Bogachev, at some point, became involved in state-sponsored hacking as a sort of cyber privateer,” says F-Secure Security Advisor Sean Sullivan. “Using private contractors is pretty common when it comes to cyber attacks, and Bogachev’s capabilities as a career cyber criminal certainly make him an attractive recruit to anyone in need of black hat hacking services. RIS can easily benefit from what he does, as long as he doesn’t target anyone working with Russia.” Privateer was a term coined in the 17th century to describe privately owned ships that were armed and conducted military operations on behalf of a country’s official navy. They weren’t paid directly by that nation, but they were allowed to benefit from their service by robbing or capturing their targets. Back then, robbing ships was considered piracy. But privateers got away with it because they were doing it on behalf of their government. The term privateer fell out of fashion when the age of sail ended. But it’s a concept that seems to fit nicely with Russia’s hybrid warfare doctrine. It allows them to plausibly deny their official involvement if they can attribute hacking to online criminals, even while benefiting from what the criminals actually do. And there is precedent for Russia employing cyber criminals to bolster their offensive cyber capabilities. A recent article in The New York Times tells the story of several hackers that Russian authorities have attempted to recruit, including one who claimed he was offered a position with the government as an alternative to serving a prison sentence. So recruiting someone like Bogachev would be consistent with previous accounts from hackers approached to work on behalf of the Russian government. Not only that, but the fact that he’s seen as a hero in Russia makes it plausible that they would try to benefit from his profile, or at least turn a blind eye and protect him from prosecution. “Bogachev wouldn’t need a lot of ‘handling’ from the state – he can create his own initiatives that simply reinforce espionage conducted by other state-sponsored groups like The Dukes and other APTs,” adds Sullivan. “Co-opting known criminals and disguising what they do as hacktivism creates confusion that can undermine evidence of state involvement. And these disinformation strategies are integral to not just Russia’s cyber espionage activity, but their entire approach to geopolitics over the last few years.” [ Image by Mobilus In Mobili | Flickr ]

January 3, 2017

Ransomware Isn’t Slowing Down for a Simple Reason — It Works

It's a story that's been told thousands, if not millions of times, already. One wrong click and bam! Files taken hostage by unbreakable encryption and there's nothing you can do but give up -- or pay the ransom. There's a reason that cyber criminals who run ransomware offer customer support and are raking in cash in numbers that need to measured in billions. And it's the same reason that 193 different ransomware families were discovered between May 2012 and May 2016, with an average of 15 new families identified each month during Q3 of 2016. The reason is simple: It works. So we're likely to see new iterations of the same threat adapted to spread more easily until it stops being so effective. One of the keys to slowing this epidemic is... you. If you and the people around you are easy targets, criminals will keep cashing in on the same trick. As Melissa explained earlier this year, there are five ways to fight back against ransomware threats -- and they just happen to protect you from most online scams -- so let's review how to fight ransomware like your files depend on it, because they do: Change your mind. Fight forward -- with backups. The fight against ransomware begins, with reliable backups of your files. Keep all software up to date. Ransomware often exploits flaws in old software to edge in and take control of your files. Beware of email, especially attachments. Be suspicious of links and attachments in emails. Remember, the post office and the IRS don't send ZIP files. And a document telling you to "Enable Content" is likely a trap. So: Run reliable security software. Use software with a layered approach that can block known ransomware variants and new threats -- software like F-Secure SAFE, which you can try for free. If you're reading this and you're already infected, F-Secure Labs has some recovery tips. But we're very sorry; there is no recovery process for ransomware that's as effective as prevention.

December 29, 2016

What’s a Mirai Botnet Doing With My Router?

Mirai – malware designed to infect internet of things devices - is behind some of the biggest DDoS attacks in history. It knocked Twitter, Netflix, and other popular websites offline in October. And now, it looks like a variant of Mirai has been modified (or upgraded) to infect routers. Nearly a million people in Germany have lost their internet access over the past few days due to infected routers. News reports say that over 900,000 routers from Deutsche Telekom (DT), Germany’s largest telecommunications provider, were knocked off the internet over the past few days. The attack(s) are being attributed to Mirai based on their use of infrastructure seen in previous Mirai attacks. “Mirai was designed to infect IoT devices. And since IoT devices and routers have many of the same security issues, adapting Mirai to target routers seems worthwhile for attackers,” says F-Secure Security Advisor Sean Sullivan. “It takes a bit of work to adapt the malware, but since the code has been dumped online, it’s doable.” The Mirai variant hitting routers in Germany exploits a vulnerability in the firmware of particular models of Speedport and Zyxel routers. Previous Mirai variants have been more focused on IoT devices (most notably webcams), and brute forcing passwords to infect devices with malware. You can find a list of affected router models here. DT has apparently already developed a fix for this, which is impressive given the general industry-wide neglect of vulnerable firmware. But reports say that there may be as many as five million devices connected to the internet that are susceptible to the same attack used against DT routers. And this estimate doesn’t include devices with other security problems leveraged by Mirai, such as the use of weak default passwords set by manufacturers. How to Troubleshoot Bots Attackers infect devices with Mirai, and then connect tens or maybe even hundreds of thousands of infected devices together to create a network of bots (hence the term, botnet). Using botnets, attackers can do things like issue commands to infected devices, launch devastating DDoS attacks, install additional malware, or spread the infection through more networks (thereby increasing the size of their botnet). But fighting botnets isn’t a huge priority for anyone but ISPs. A phone, laptop, or webcam can be part of a botnet without really inconveniencing the device owner. However, that doesn’t mean bot infections should be ignored. Many bots, including Mirai, receive instructions from attackers. New instructions can give bots new capabilities, including having them attack device owners in more direct ways. And because Mirai (and bots like it) can infect non-traditional PCs, it’s more difficult to get rid of. Here are a few things you can do to get rid of bot infections on devices that can’t run antivirus software. Reset your device Resetting routers and IoT devices infected by Mirai is enough to remove the infection. It’s a good first step. But this doesn’t fix the underlying problem, so you’ll remain vulnerable to future infections unless you take additional actions. And because Mirai spreads aggressively, you may only have a matter of minutes until you’re infected again. Change default passwords (if possible) Most people don’t change default passwords on their routers or IoT devices. This is a HUGE problem, since many of these devices use common passwords for the same model or line of products. And to make things worse, lists of default passwords are often available online. Many attackers know people don’t change passwords on their devices, and use that to help them plan attacks. Mirai is programmed to try logging in using popular passwords like “123456” and “password”, as well as passwords that have proven effective against specific devices (such as “admin” and “xc3511”). So change default passwords whenever possible. Contact device vendors/ISPs Some devices cannot be fixed easily. Sometimes passwords cannot be updated by users. Firmware often ships with vulnerabilities, requiring vendors to create and distribute patches. In these cases, ISPs or device manufacturers need to get involved. So make an effort to check their websites, and if needed, contact them. They may or may not help. DT is making an effort to restore service to customers affected by the recent outbreak. And after the massive Mirai attack on Dyn in October, a Chinese webcam manufacturer recalled some of its products that used passwords that could not be changed by users. In the worst case scenarios, people may be forced to actually throw out an infected device. “Like any new technology, it’s buyer beware,” says Sean. “Security researchers and even hackers have been talking about insecure IoT devices for years. Now the problems are starting to arrive, and they’ll most likely get worse before they get better.” There are multitude of other security measures you can take to protect things like routers and IoT devices. Some of the best ones include making sure Universal Plug n Play is disabled, checking that your DNS settings are configured correctly, and that you log out of devices’ admin portals after changing any settings. [ Image by Sascha Pohflepp | Flickr ]

November 30, 2016