Google Using Search Engine to Warn Users About DNS Changer Infection

By | May 30, 2012

Search engine giant Google is using its size and breadth to help stop the spread of a click-jacking malware infection. DNSChanger is a Trojan-style piece of malware that makes unauthorized changes to domain name system (DNS) settings on infected computers. Infected computers then redirect users to fake, infected websites that appear valid, but which are instead hacker-developed creations. The number of currently infected computers is estimated at 500,000, down from more than 4 million at the height of the outbreak.

The search engine company is using its ubiquity to help reduce the infection. It began displaying messages on the top of its search results pages to computers that are infected. DNS Changer affects both Windows-based and Apple computers. It may affect routers and mobile devices as well. The infection itself is typically a small file that changes a "NameServer" registry key value to that of a rogue IP address.

A Network World quoted Google security engineer Damian Menscher regarding the initiative. "Our goal with this notification is to raise awareness of DNSChanger among affected users," said Menscher in a post to a company blog. "If more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."

Cleaning DNS Changer-Infected Computers

DNS Changer is on the decline due to FBI intervention. A bureau operation called "Ghost click" that was enacted to control and contain the spread of the infection within both businesses and consumers. In concert with orders from a federal judge, command-and-control (C&C) servers in the U.S. were captured, quarantined, and replaced with legitimate DNS servers.

Google will begin placing a message stating "Your computer appears to be infected" on computers that have a signature showing that the infection is present. The company used a similar method to inform users and help eradicate a malware outbreak in 2011. If the message appears on a computer, the machine must be cleaned of the malware. As of July 2012, those computers and devices still infected with DNSChanger will be prevented from connecting to the web.

Infections like DNSChanger show the creativeness of tactics that hackers and cyber criminals use in their efforts to steal information, identities, and ultimately, money.

Should the warning appear on the top of the page from a Google search, a link will appear that will redirect you to tools and information to clean your computer of the infection. Security, help desk, and IT professionals at midsize business should evaluate their organization and take coordinated steps to clean any infected machines and infrastructure equipment to assure uninterrupted business operations.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM's IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

What is the MSP Opportunity for IoT?

By Daniel Newman on Sep 16, 2015
Our world is turning into one gigantic interconnected web, thanks to the growing number of devices and physical objects linked to the Internet—and to each other—via wireless networks. That’s the basic idea behind a term that’s being tossed around a ...

IT Security Needed More Than Ever For SMEs

By Daniel Newman on Oct 29, 2015
It’s hardly a secret when a large corporation gets hacked—it’s the opposite, actually. News of controversies and scandals for big business spreads quickly (like the recent Target and Ashley Madison data breaches). Just because they sometimes don’t make the front ...