Several media have published the news about the DNSChanger Trojan and the FBI with headlines that are causing confusion for users. Some examples:
Although the content of the articles explains what happens, those who do not read it and stay with the headlines will think anything … the FBI turns off the internet, internet is suspended, Goodbye to the Internet on March 8… In this case the FBI is not the bad guy, it's the good guy 🙂
Try to quickly explain what happens … DNSChanger is a Trojan that has the ability to infect Windows, Linux, Mac computers and some routers to modify DNS and redirect users to fake pages.
What are DNS? They are in charge of solving domain names, in other words they make life easier for us to browse the internet. For example, if we want to access the Google search engine we can write in our browser www.google.com or the next IP 18.104.22.168 which way is easier to remember? Of course, the first one.
DNS are responsible for transforming that complicated number (IP) into friendly words (domain) and the same is true of all Internet sites. Every time we write the address of a site, the DNS are consulted to load the information from the correct IP. Now when a computer becomes infected and its DNS is modified domains can resolve malicious IPs, controlled by attackers. This is a serious problem because when trying to access a legitimate site we could be loading a fake one without realizing it.
These types of attacks are very common given their effectiveness and in this case the DNSChanger Trojan more than 4 million computers were infected worldwide, generating millionaire profits for a group of cyber criminals who has already been captured.
Once the FBI gained control over the fake DNS servers, it replaced them with the legitimate ones so that users continued browsing normally and had time to disinfect their computers.
What will happen on March 8? On that day the servers seized by the FBI will be shut down and those users who still have the Trojan on their systems will not be able to correctly resolve the domain names of many sites. In other words, when they write, for example, www.google.com, the page will not load.
This does not mean that the FBI leaves users without internet, actually internet they will have but not being able to resolve the domains correctly, many pages will only load through their IPs. Although this will be a problem for many, the positive side is that they will be forced to carry out a complete check of the machines to leave them in good condition.
How to determine if I am infected?
Detecting and removing the Trojan is easy … to check if you are infected you simply have to access this page (it is no longer available) and follow the steps indicated. It is an online tool created especially to detect the modifications made by DNSChanger.
If you are infected the same tool will provide you with help, also on the web of the OSI (Internet security office) you will also find the steps to easily disinfect your equipment or router.
Update 8/3/12: the deadline for server shutdown was extended until July 9th.
See also: Clean up the Windows hosts file.