SECURITY Technology

DNS Changer malware: what you need to know

You may have heard about yet another new virus threat that’s making headlines today. As many news outlets have been reporting – with greater and greater urgency – there is a new form of “malware” that’s been loose for some time, but is about to make a much bigger impact on a lot of people’s lives. Basically, if you’ve got it, you’re not going to be able to get on the Internet after July 9th. Because the FBI is shutting things down.

Since a lot of the reporting I’ve seen locally has been… well, terrible.. I thought I’d give you a quick run-down of what exactly is going on. Let’s start with the question on everybody’s mind:


The “DNS Changer” pest has been “in the wild,” meaning actively making its way through public networks and computers, for quite a while under various names. Its purpose was basically to redirect users trying to get on the Internet to bogus websites so that its creators could collect click-through ad revenue. The FBI and officials in Estonia arrested the perpetrators a while ago, but realized they had a big problem: if they shut down the servers that the malware was pointing to, everybody with the malware would get cut off from the web. The solution was to leave the servers running, but instead of pointing to the baddies, the FBI redirected traffic right back to where it was supposed to go in the first place.

All well and good, but there’s still a ton of computers – estimates are in the half-million neighborhood – with that virus, and the FBI can’t keep those servers running forever. Well, July 9th is the cut off date, so if you’ve got this little beastie running on your box, you better do something fast.

Malware? Is that like a virus?

Yeah, sorta.

The only real difference between most viruses and most malware – and to be clear, these terms border on slang, so the definitions tend to be somewhat fluid – is that viruses generally pose as some legitimate bit of software or data and infect silently. Malware generally attempts to cover itself with the veneer of legitimacy by talking you into voluntarily installing the software. Many veteran PC users will remember all those “start-up applications” that ran their PCs into the ground years ago. Stupid crap you thought you were being smart by installing. And by the way, its pronounced “male-ware,” not “mall-wear,” damnit. Think “malevolent” or “malignant.”

Regardless of the definition or how you got it, the point is: it sucks.

What is DNS and why did it change?

Ah, DNS, our old friend! Cornerstone to the Internet and so effective, most people don’t ever hear the term. This is especially clear when watching and reading local news on the subject, sadly.

DNS means Domain Name Service, and essentially, it’s the phone book of the Internet. Every domain name, such as and, refers to a computer or a network out there on the Internet. But which one? Well, your computer doesn’t know the answer to that, so it relies on DNS servers to provide that information.

When you tell your computer to go to, it actually asks one of these servers where is, the server responds with the correct address, and away you go. Typically, your computer would use DNS servers provided by your Internet Service Provider (Time Warner, Frontier, etc), but it doesn’t have to: you can manually set a different set of DNS servers to contact if you wanted to for some reason.

What the DNS Changer did was exactly this: it changed the server that your computer points to from a legitimate one to an illegitimate one. Those illegitimate DNS servers pointed you – not to the Google you know and love, but to bogus servers that look just like Google. You know all those ads on Google’s search pages? People pay money for you to click on them. But with the DNS Changer servers pointing you to bogus sites, all the money that would normally be collected by Google was instead collected by the owners of those servers. With half a million computers still infected, even after anti-virus software has been removing it for months, they must have made a lot of money.

And you can clearly see the long-term problem facing the FBI: if your computer is referring to the wrong “phone book” and that phone book goes away, where do you find all your beloved websites? You don’t. The solution was to just make the DNS servers report correct data, instead of the bogus stuff while people had an opportunity to fix their systems. And again: the FBI will be turning these servers off completely on July 9th.

Awesome. Now what?

Now you need to find out if you’ve got the DNS kruft and if so, get rid of it. If you’re not on a Windows computer, you’re probably safe. If you are:

  1. Run your antivirus software! I trust you have some, yes? Make sure it has been recently updated as well.
  2. Failing that, there is a website, , that will run a quick, software-free scan for you.
  3. has a resource page that will give you more information.
  4. Finally, many ISP’s including Time Warner are providing their own support. As a last resort, you might try calling them.

Boilerplate preaching

I know you’ve heard this all before. But if you’ve got this little nasty, that is because you didn’t heed the advice. And hey: we all screw up from time to time. So… once more, this time with feeling:

Never install software unless you were planning on it. If something on the Internet tells you to install software in order to view content or improve your PC, that’s a red flag. Before installing anything from the Internet, you might first want to Google search the name of the application. If it even smells slightly off, there’s a blog post, a forum thread, or something else to wave you off. Most legitimate software that drives content on the Internet is going to be either pre-installed or easily-recognizable: Flash, Acrobat, maybe QuickTime.

And for the love of god, people, use your anti-virus! Keep it up to date, make sure you run scans once in a while – most anti-virus software actually allows you to schedule all this to run without you. But that doesn’t mean you shouldn’t check in from time to time.

Rochester Science

Sick of being broke? Why not get sick for cash? U of R’s norovirus vaccine tests

The @UofR Medicine department is currently testing out a new vaccine for the norovirus – the virus commonly known for its disastrous outbreaks on cruise ships in recent years, but which the CDC identifies as the culprit for the majority of food-borne illnesses in the country. They’re looking for twenty volunteers willing to submit to both the vaccine and the virus and in return, they plan to pay out $1,165. Which buys a lot of ginger tea.

But before you head to the mall for your get-well-soon shopping experience, you should be aware of just what you’ll be subjected to. Subjects will be given two shots containing either the virus or a placebo, spaced four weeks apart. Four weeks after that, they will be exposed to the virus to see how they react. During this testing phase, subjects will be held in isolation for five days, to avoid the risk of spreading the disease or of contaminating the results by getting sick.. you know.. “the old-fashioned way.”

All you have to be to participate is between the ages of 18 and 50, not working in select professions, and of course willing to withstand a nasty stomach ache for a few days. Sound good? Well, by all means, give them a call at the Vaccine Research Unit at (585) 273-3990 or click here to read the press release.


Don’t let your computer feel as miserable as you do this Valentine’s Day

I never understood the overwhelming hatred of Valentine’s Day. Sure, I’m in a happy, healthy, loving relationship, which makes me a prime target for scorn today, as well as completely discredits anything I could possibly have to say about the holiday in general. Still, even during my single years, I never cared. Maybe I just grew up looking at the day differently than most.  You don’t need a “lover” per say, you just need love, and I love a lot of things. Besides, it gave me an excuse to round-up a bunch of my friends to get drunk and watch bad horror flicks – two of my favorite hobbies! Not to mention, um, it’s just a day.

Still, I’d like to think I’m compassionate and recognize I am very much in the minority with those feelings. Starting as early as a week ago, social media sites were beginning to overflow with dread of the impending day. Guys planning to drink whiskey in silence, girls planning to stay in bed with 4 pints of ice cream, and the incessant overuse of the words “cliché”, “Hallmark”, and “singles awareness”.

Okay, I get it. February 14th sucks big time. But does anything bad actually happen on Valentine’s Day that merits the preparation of the Apocalypse? Kind of. I don’t know about going that far, but historically, the day does have some messed up roots, most notably the 1939 Saint Valentine’s Day Massacre in Chicago and most recently, malware attack warnings in our humble little abode of Rochester.

That’s right. As if this day weren’t already annoying enough for the majority of the population, now we have to be cautious of what we do and don’t click on in our social networks! (Which, by the way, you should be doing anyway, but I know it’s a rough day, so I’ll save the lecture.) Yesterday, Aware Bear Computer Repair in Pittsford warned consumers to be apprehensive of Valentine’s Day themed links, messages, and videos already circulating Facebook and Twitter. Andre Alves, Rochester native, as well as owner and founder of Aware Bear, stated:

“An apparently harmless message spreads in email messages with subjects like ‘I Love You So Much,’ ’Inside My Heart’ or ‘You in My Dreams.’ The text of the email includes a link to a website that downloads the malicious code. The page is very simple and looks like a romantic greeting card with a large pink heart. Once it infects a computer, the worm sends out a large amount of emails, creating a heavy load on networks and slowing down computers.”

That’s just one of the social media viruses Aware Bear has faced this Valentine’s season, and apparently, there are many. Chances are, if you’re a V-Day hater, you won’t be likely to click on anything holiday-centric today, anyway. However, for those of you who either have a honey bunny or just simply don’t care, take the normal precautions you’d approach your online interactive decision-making with and double it.

Happy Valentine’s Day, All. Don’t worry, we’re already halfway through it until next year.


Sending in the mosquitos: introduced species, anyone?

Researchers in the Australian state of Queensland are experimenting with introducing a virus into mosquitos to prevent another virus from spreading the deadly Dengue fever. The concept is pretty simple: Virus A spreads a deadly fever, Virus B prevents Virus A from reproducing, which basically eliminates Virus A from the equation. So, infect a bunch of mosquitos with Virus B and they’ll be able to prevent or at least mitigate the spread of a deadly disease. Great, right?

Not quite. Readers of my blog know that one concern I have is the idea of what ills an introduced species can have. The trouble is that the integration of native species generally has some sense of balance – always adjusting, always different, but still a sense of balance. When new species are introduced into the equation – or when one species has its population artificially increased – the results can be unexpected. Possibly even worse than the problem they were meant to solve.

For some fun background on introduced species, there is a series of videos on Youtube describing the troubles Australia already had with cane toads. But right here in the Rochester area, we have also had our recent problems with purple loosestrife as well. Here’s another video from a Wisconsin educator on the troubles they’ve had.

Its worth pointing out that similar types of bioengineering happen all the time. For example, many gardeners introduce ladybugs into their gardens to control mites. But when it happens on such a large scale – particularly with fast-reproducing and fast-evolving viruses – the concerns are a bit greater.

Modified mosquitoes set to quash dengue fever : Nature News & Comment.


Seven busted in elaborate Internet click-hijacking scam

The FBI announced in a statement today that they have arrested six suspects and are seeking another in Russia over what they allege is a sophisticated scam involving redirecting computers infected with a virus to sites where the suspects would be paid for clicks. The FBI says some 4 million computers world-wide including 500k in the US were infected with the group’s virus, generating an estimated $14 million in click cash.

The scheme involved using “rogue” DNS servers, which are servers whose role on the Internet is to tell requesting computers where to find the correct web servers. The arrest is being called the biggest take-down in Internet history.

The basics of the alleged scheme work like this: an infected computer is used to search for something and is sent to the search engine like normal. However, when the user clicked on any search result, they were routed instead to a site that was paying the scammers per click. This involved not only fraudulent rerouting of the user, but also loss of revenue for the search engines in question, because the affected links sometimes included the paid advertisement links at the top of Google and other search engines. The scammers also were able to swap out advertisements on websites such as the Wall Street Journal with their own paid links.

For full details of the investigation, read the FBI press release below:

FBI — Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business.


Largest-ever virus creates “trojan organelles” in amoeba off Chile’s coast

When amoeba get a cold, its a big one.

French scientists have discovered a new form of virus – the largest ever discovered and one which is twenty times larger than the average virus. And this particular virus does something rather unusual, according to the BBC article linked to in the Popular Science blog post below.

Whereas viruses typically invade a host cell and simply turn the nucleus (the “brain” of a cell) into its slave, thereby getting the cell to make replications of the virus, this one appears to setup whole organelles for the same purpose. Organelles, you’ll recall from biology class, are the “organs” that exist inside the cell, like the mitochondria, ribosomes, and the always-popular endoplastic reticulum. These organelles are referred to as “trojan,” implying that their purpose is to disguise what’s going on from the rest of the cell.

So, whereas computers have trojan viruses, apparently amoeba have viruses that create trojans. What a world.

Ocean Explorers Find Largest Virus Ever Seen, 20 Times Bigger than the Average Bug | Popular Science.


New Security Concern Over Apple Laptop Batteries

News this morning is that a security researcher by the name of Charlie Miller discovered a new and potentially troublesome security vuln in Apple laptops. It seems that the CMOS battery is protected using default passwords, meaning the same password is set for every laptop. There is more discussion of the issue here at the Internet Storm Center and the original article, here.

So, ok…. What does all this mean?

Computer motherboards – the sort of backbone of your computer, where all your drives and goodies connect – have a small amount of writable memory on them that holds configuration for the hardware itself. You may never have seen this data, and that’s a good thing: modern computers spare their users the hassle of navigating text-only windows of inscrutable data and settings. Those settings can have huge impact on the usability of your computer, up to and including rendering the computer unusable, and the memory that holds this information is actually much larger than the amount of data held there. That means something else, like a virus, could potentially be stored there.

This system of data is held in memory by a small watch battery on the motherboard. Note that this is not the same battery that powers the computer while you work.

Because laptops are portable and therefore more susceptible to theft and shenanigans, laptop CMOS settings are usually protected by a password. In the case of Apple laptops, the study now shows that this password is a default password common to a host of other laptops. This means that a hacker could learn this default password and find their way onto any Apple laptop that has not had its default password changed.

What makes this especially bad is a twist of hardware design: Apple laptops have batteries that are permanently mounted inside the chassis. Unlike most laptops, whose batteries can be replaced, Apple laptops make due with a single battery. This means that if the CMOS is sufficiently nutted, you’re not going to be able to get into the system to fix the problem. At least, not through conventional methods.

The Threat

So, what is the potential fallout from this new security vuln? This is a threat which is pretty limited, but very significant for someone who is affected. The likelihood is that, in order to infect or otherwise harm a laptop in this manner, the hacker has to be physically present. This is not the kind of vulnerability that lends itself to Internet attack because CMOS settings are set and unchangeable once the computer is fully booted.

If someone is able to get into the CMOS settings, the first and most obvious threat would be for them to render the computer either inoperable or else significantly impaired, then change the CMOS password to something the legitimate user does not know. This would constitute a single-user Denial of Service type of hack, as one user is not able to use their computer and unable to fix the problem.

More serious would be someone filling the CMOS memory with junk data and effectively rendering the computer unbootable at all. The gravity of this particular attack is that, if the computer can’t even boot to the CMOS settings window, it may not be possible to zero out and replace the junk data.

Probably the least-likely threat is the idea of a hacker putting a CMOS virus on the system. The amount of data that can be held in CMOS is actually pretty limited, so whatever virus is there would have to be extremely small. Still, it might be possible to place a virus in CMOS that can dial home and install a fuller, more serious virus onto the hard drive.

If the intruder is able to replace and rewrite CMOS settings, clearly you can as well. They call this “flashing” the CMOS, and its typically done to upgrade firmware or resolve hardware issues. But you could also flash the CMOS to get rid of errant settings, which is exactly what you’d want to do in the case of this type of attack. In the worst-case scenario, pulling the CMOS battery off the motherboard would discharge the memory and bring your computer back to factory default settings. Problem solved.

Except in this case, the battery is a permanent resident of the motherboard. There’s no pulling this battery and no way to reset the CMOS settings in the event that normal CMOS settings pages are inaccessible. And that’s the real threat.

Overall, this is a very low-level threat, given the nature of the attack. And it should be pointed out that all motherboards have CMOS and very few are protected by any kind of password, especially not desktops. Still, the fact that all Apple laptops are secured with the same password is arguably more serious than other laptops not having any password at all, if only because the spread of this knowledge among the hacking community makes exploiting it more tempting.