This is a follow-up to a previous blog that was titled “Stopping DNS Changer Malware on the Internet.” I have been receiving some questions from enterprise customers about this malware.  Some folks are receiving victim or infection notices from the FBI or from their ISP, and they have questions about what to do. Here are some suggestions and considerations:

1. Operators of business enterprise networks should restrict the DNS resolvers that computers in their enterprise can use.  Either provide internal DNS resolver services or configure firewall policies for access to only known good DNS resolvers on the Internet.  This will prevent any DNS Changer malware from successfully manipulating DNS resolution in your enterprise network.

2. If you have received notices from your ISP or the FBI that identify only legitimate DNS resolvers for your enterprise, then the notice is most likely false.  The DNS Changer malware primarily affects end-user devices.  In some circumstances, DNS resolvers will legitimately contact these formerly rogue DNS resolvers.

3. If your current firewall policy allows access to any DNS resolver on the Internet, and if you received an infection notice that identifies your firewall, then you likely will need to check firewall logs to identify affected machines.  Look for internal addresses that are accessing the addresses of the formerly rogue DNS servers primarily on port 53/udp.  The address blocks of these formerly rogue DNS servers are:

    •         85.255.112.0 through 85.255.127.255
    •         67.210.0.0 through 67.210.15.255
    •         93.188.160.0 through 93.188.167.255
    •         77.67.83.0 through 77.67.83.255
    •         213.109.64.0 through 213.109.79.255
    •         64.28.176.0 through 64.28.191.255

4. If you are using one or more Small Office or Home Office routers in your business, it is possible DNS settings have been changed on that device.  This is particularly true if the device was not configured with a good password.  Reset the device to the default configuration settings using manufacturer instructions.  There is usually a little reset button on the device.  Be sure to set a good password after the reset.

5. The US court system to has extended the operation of the temporary DNS servers to July 9, 2012.  This provides more time to resolve the issues and institute improved security policies.

6. Be sure to keep anti-virus software current on all computers, and track or check the updates.  The DNS Changer malware, as well as numerous other types of malware, will disable updates on infected machines.  The lack of updates not only leaves the malware undetected but leaves the affected machines unprotected against other malware.

7. Infection avenues for DNS Changer and other malware vary.  If Anti-virus does not have a current detection signature for a specific piece of malware, machines could be infected.  70% of the new malware samples we find are not detected by well known anti-virus tools when first identified.  Network detection and protection is a necessary supplement to host-based protection.  I recommend a comprehensive Secure Internet Gateway service, which includes network-based firewall, IDS, URL filtering, email scanning, and VPN remote access.  This combination will provide a comprehensive prevention.

8. In the eventuality that security events do occur, it is advisable to have a 24×7 detection and mitigation support service such as our Security Event and Threat Analysis (SETA) service. This service can be tailored to your needs and works in conjunction with a Secure Internet Gateway service and/or your own premise-base security protections.  The service provides an automated security analysis platform as well as access to expertise to help detect security events, diagnose the cause, and help with quick remediation.

What questions do you have about detection and remediation of DNS Changer Malware? How are you protecting from that now?  What can we be doing to serve your security needs better?