Google Using Search Engine to Warn Users About DNS Changer Infection

By | May 30, 2012

Search engine giant Google is using its size and breadth to help stop the spread of a click-jacking malware infection. DNSChanger is a Trojan-style piece of malware that makes unauthorized changes to domain name system (DNS) settings on infected computers. Infected computers then redirect users to fake, infected websites that appear valid, but which are instead hacker-developed creations. The number of currently infected computers is estimated at 500,000, down from more than 4 million at the height of the outbreak.

The search engine company is using its ubiquity to help reduce the infection. It began displaying messages on the top of its search results pages to computers that are infected. DNS Changer affects both Windows-based and Apple computers. It may affect routers and mobile devices as well. The infection itself is typically a small file that changes a "NameServer" registry key value to that of a rogue IP address.

A Network World quoted Google security engineer Damian Menscher regarding the initiative. "Our goal with this notification is to raise awareness of DNSChanger among affected users," said Menscher in a post to a company blog. "If more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."

Cleaning DNS Changer-Infected Computers

DNS Changer is on the decline due to FBI intervention. A bureau operation called "Ghost click" that was enacted to control and contain the spread of the infection within both businesses and consumers. In concert with orders from a federal judge, command-and-control (C&C) servers in the U.S. were captured, quarantined, and replaced with legitimate DNS servers.

Google will begin placing a message stating "Your computer appears to be infected" on computers that have a signature showing that the infection is present. The company used a similar method to inform users and help eradicate a malware outbreak in 2011. If the message appears on a computer, the machine must be cleaned of the malware. As of July 2012, those computers and devices still infected with DNSChanger will be prevented from connecting to the web.

Infections like DNSChanger show the creativeness of tactics that hackers and cyber criminals use in their efforts to steal information, identities, and ultimately, money.

Should the warning appear on the top of the page from a Google search, a link will appear that will redirect you to tools and information to clean your computer of the infection. Security, help desk, and IT professionals at midsize business should evaluate their organization and take coordinated steps to clean any infected machines and infrastructure equipment to assure uninterrupted business operations.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...