DNSChanger malware shutdown affects few Canadians

Two of Canada'slargest internet service providers, Bell Canada and Rogers Communications,say their customerswere not significantlyaffected by Monday's shutdown of the temporary FBI-operated servers in the U.S. that had been keepingCanadian web users safely attached to the internet.

An estimated 10,000 Canadian internet users were said at one point to havefallen victim to the DNSChanger virus that had taken over computers worldwide.

But"from what I've been able to determine, Bell has received less than a dozen calls from customers today," Bell spokesman Albert Lee said in an email.

"Our IT security team continues to monitor the situation and exchange information with other providers, but we have not seen a significant impact."

Lee said the company estimates that 1,000 Bell customers were potentiallyaffected by the shutdown of the temporary DNS servers that the FBI had been keeping in operation since November 2011 as part of OperationGhost Click.

Rogers Communications said it had also had some calls about the DNSChangervirus on Monday butdid not specify howmany. Both companies said they had contacted customers who they thought could be affected in advance.

Bell had also set up aninformation pageabout the malware.

Less than 1 per cent of Canadian IP addresses affected

As of July 8, there were about 210,851unique IP addresses worldwide still using the temporary servers, according to the DNSChanger Working Group, which had been helping the FBI monitor the temporary servers.

Of those, 41,557 were in the U.S. and 7,289 in Canada, with the latteraccounting foronly "a fraction of one per cent of all Canadian IP addresses," according to a spokesperson for Public Safety Canada, which has been working with the Cyber Incident Response Centre toinform the publicabout the issue.

Many of those who were surprised to find their home computers cut off from the internet Monday took to their mobile devices instead,posting messagesof frustration and confusion on Twitter and Facebook.

The servers werepart of the FBI's investigation into a cybercriminal group that had, between 2007 and 2011, rerouted more than four millioncomputers in about 100 countries through a system of false DNS servers. The virus manipulated these computers,getting them to bypass their usual ISP connection so they could be directedto fraudulent websites that promoted fake products.

At the end of the investigation, the FBI contracted the non-profit Internet Systems Consortium toreplace the rogue DNS serverswith clean ones and keep them operatingtemporarilyso that the infected computers connected to them would not lose internet access when the rogue serverswere shut down.

The FBI said it did its best to identify which machines were infected with the virus and toinform the relevantISPs, but that it was unable to trace all instances of the virus.

Those users who removed the virus from their computers had their normal internet connections restored, but those who didn't continued to be rerouted through the temporary serversinstead of through their internet provider's servers until July 9, when those temporary servers were disconnected.

The FBI arrested six Estonian nationals in connection with the DNSChanger scam, and they have beenchargedwith several counts of wire fraud, computer intrusion, conspiracyand money laundering. A seventh person, of Russian origin,remains at large.

According to the FBI, thecybercriminals, whooperated under the company name Rove Digital, earnedabout $14 million USoff the sale ofillegitimate products and advertising on the fraudulentwebsites they were directing victims to.

One example of a typical application of the DNS scam the FBI cited was a website selling fraudulent Apple softwareto whichusers would be directed when clicking on the link for the official websitefor iTunes.

Remove malware or reformat

Unfortunately, those wholosttheir internet connection Monday have little choice now but to take their machines to a computer expert and have the malware removed, since they won't be able to directly access the online services designed todetect or remove the virus.

Alternatively,affected userscan use an uninfected machine to try to download some of the free DNSChanger virus scan and removal softwarecompiled by the DNSChanger Working Group at www.dcwg.org/fix/ onto removable media, like a USB flash drive,and use that device to disinfectthecompromisedcomputer.

Amore extreme course of action would be to back up important data and wipe the hard drive clean and reformat itor have this done by a computer technician.

Those whochoose this route should keep in mind that ifthey don't back upfiles to a separate drive, they'll lose them, because reformatting cleans out all the files on a drive. The operating system and applications will also need to be reinstalledafter reformatting.

Check DNS settings

If you are having trouble accessing the internet and are reading this on another device, you can check whether your computer has been infected with DNSChanger by identifying your DNS settings and comparing them against the list of known rogue IP addresses listed on the FBI or Public Safety Canada websites.

According to those sites, if your IP address falls within one of the following groups, your computer is infected with the virus:

• 85.255.112.0 through 85.255.127.25
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

To find your DNS settings, Public Safety Canada recommends the following steps.

For Windows users:

• Go to Start menu.
• Select Run...
• Type: cmd.exe [press ENTER].
• Type in the black command window: ipconfig /all [press ENTER].
• Search for the line that says "DNS Servers." Often, two or three IP addresses are listed.
• Compare against list of rogue IP addresses.

For Apple users:

• Go to System Preferences.
• Select Network.
• Select the connection used for internet access (typically, AirPort or ethernet).
• Select Advanced.
• Select the DNS tab.
• Compare against list of rogue IP addresses.