MalwareData lossSocial networksMobileApplePrivacyVulnerabilityMore...Search for:Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Hi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Already using Google+? Follow Naked Security's Graham Cluley for the latest security news.
On LinkedIn? Join the Naked Security discussion group and connect with your peers in the security industry.
Sorry, something happened and we couldn't sign you up. Please come back later and try again.
Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.
Sorry, that email doesn't look right to us so we haven't added it to our list.
We're adding your address to our list...
Join thousands of others, and sign up for Naked Security's newsletter
by Beth Jones on April 25, 2012|16198111 Commentshttp%3A%2F%2Fnakedsecurity.sophos.com%2F2012%2F04%2F25%2Finternet-doomsday-dont-panic%2FInternet+doomsday+on+July+9th%3F+Don%27t+panic%212012-04-25+21%3A40%3A08Beth+Joneshttp%3A%2F%2Fnakedsecurity.sophos.com%2F%3Fp%3D161981Filed Under: Featured, Law & order, Malware
Here in SophosLabs, we have been receiving a fair number of requests from the general public asking about the supposed "internet doomsday", said to strike on July 9th, which will leave "hundreds of thousands of internet users without internet access".
In the immortal words of Douglas Adams: Don't Panic
First, let's back the train up into the station and give you a quick history on this.
Back in November 2011, the FBI seized control of a bunch of rogue DNS servers that were being used by the bad guys to redirect PCs infected with the DNS Changer malware machines to various scams with the intention of making money.
More than 350,000 computers around the world are thought to still be using the DNS servers, which have now been made harmless. But it's US taxpayer dollars which are keeping the DNS servers up and running, and that's not a situation that can carry on indefinitely.
The best solution is for people to fix the DNS settings on their computers.
The original plan was for the the DNS servers to be shut down on March 8th 2012, but the FBI has asked for more time, delaying the shutoff date to July 9th.
Essentially the FBI is trying to give innocent folks time to clean their machines up.
And computers should be fixed - because if the DNS servers go down, any computer relying on them for DNS name services will cease to be able to browse the web, read email or do just about anything on the internet at all.
The issue is discussed in greater detail in Sophos Chet Chat podcast 86, that was published last month. (The DNS Changer part of the podcast starts at 4'30".):
Now a bit of good news for Sophos customers, Sophos can detect various variants of the DNS Changer malware under names such as Troj/DNSChan-A.
Furthermore, Sophos products can detect if your computer is one of the ones whose DNS settings have been meddled with - identifying them as CXmal/DNSCha-A, and help repair the damage.
And finally, if you want to see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).
The FBI also has a look-up form on its site.
If you were one of the unfortunate people whose computers were hit by the DNS Changer malware, your access to the internet does not have to disappear on July 9th.
Take the right steps now to avoid a headache later.
Follow @SophosLabsLudo game image, from ShutterStock
Tags: DNS, dns changer, FBI, July 9, Malware
Facebook teams up with Sophos and other security vendorsVMware confirms hackers stole source code var OB_langJS = 'http://widgets.outbrain.com/lang_en.js';var OBITm = '1327683338569';var OB_raterMode = 'none';var OB_recMode = 'strip';var OutbrainPermaLink = 'http://nakedsecurity.sophos.com/2012/04/25/internet-doomsday-dont-panic/';if ( typeof(OB_Script) != 'undefined' ) OutbrainStart(); else { var OB_Script = true; var str = unescape("%3Cscript src=\'http://widgets.outbrain.com/OutbrainRater.js\' type=\'text/javascript\'%3E%3C/script%3E"); document.write(str); }11 Responses to Internet doomsday on July 9th? Don't panic!
Marion Hounsome says:April 25, 2012 at 11:28 pmAll very interesting, of course.......but exactly what steps am I supposed to follow to check this out? I, and probably others, need a simple list of instructions as to what to do!!
Reply
Graham Cluley says:April 26, 2012 at 12:10 amVisiting http://www.dcwg.org/detect/ is probably the easiest thing to do.
Reply
Marilyn says:April 26, 2012 at 12:38 amRan the check, but it tells me if the ISP is changing it for me, I could be infected & pass the detect test! What then?
Reply
CyberPaddy66 says:April 26, 2012 at 9:01 am[quote]And finally, if you want to see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG).[/quote]
If you actually read the thing you would find the info there along with a link to the site that does the actual checking which is the same link that Graham posted, it's not rocket science people!
Reply
Chris Davies says:April 26, 2012 at 9:22 amThe original plan, as the article points out, was to shut down the rogue DNS servers on March 8th. So we're already into dead time.
Why not shut down the DNS servers for an hour each day, cycling around the 24 hour clock (so that it impacts users globally), then increasing this to two or three cycling four-hour periods until the final cut-off?
If users don't already have A/V (or it's not up-to-date) then telling them now that they might be at risk won't change their attitude. Appearing to cut off Internet access would be a far more effective way of highlighting the issue to those at risk.
Better still, have these DNS servers redirect all requests to a farm of servers that simply present null services (Web and Mail are probably the biggies) with messages explaining the problem and offering suggestions for a fix.
Reply
Freida Gray says:April 26, 2012 at 9:45 amI also ran the check & was told the same thing.When I went back to the previous page before the test,I found out that there was a way to manually check to see if you were using a DNS Changer server. The directions were clear,easy & could be carried out without leaving the page.After I did the manual check, I found out that my OS had a tool to remove the malware.I ran the tool,which did take more than 3 hours to check every file on both my C: & D: drives.
Reply
JonnyB says:April 26, 2012 at 4:41 pmRE: the manual check (using ipconfig in command prompt on Windows) - wont this simply return the IP address of the router, if one is being used? i.e. 192.168.x.x
Assuming most people use routers, these days (they do, don't they?), it would surely be helpful for the linked pages to note that it is the router's DNS IP settings that need comparing to the known malicious settings?
Reply
MikeP says:April 26, 2012 at 3:57 pmMy ISP in the UK states which DNS server IPs to use, not my PC. So that is set in the modem set-up process and is set to use just the two IPs given and is not using the automatic method.
Therefore the modem has manually set IP addresses for which servers it should use, the PCs on the Ethernet network do not control them, as far as I know, so unless the malware can change the modem settings then it cannot infect such devices surely?
Although the XP Pro service 'DNS Client' is running, I'm not sure whether it needs to be or what effect it has on our networked systems ability to access each other and the Internet via the ADSL modem. I suspect it's more a case of using that to allow the 'Hosts' file to be read to avoid unwanted nefarious address translations?
Is it the case that this malware might affect some PCs that do not use a modem/router for ADSL access to their ISP? Or is it something more specific to the way the Internet is accessed in the USA?
Reply
Jean says:April 26, 2012 at 4:07 pmThank you. I have people starting to ask me about this. They saw articles in various newspapers with "...For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections...". Now I can send them something to check for themselves.
Reply
Brian says:April 27, 2012 at 1:29 amJust enter the IP address of the website
ReplyMore than 350,000 Computers, so basically its going to around that number of computers that are infected and compared to the amount of computers in the world i wouldn't call this an "internet doomsday" its more of another issue the internet faces every now and then, now if the number was in the millions then i could agree on calling it an "internet doomsday".
ReplyLeave a Reply Cancel replyYour email address will not be published. Required fields are marked *Name *Email *WebsiteCommentYou may use these HTML tags and attributes: 
About the authorBeth JonesSenior Threat Researcher, SophosLabs USBeth manages the day-to-day research and analysis activities of incoming suspicious malware threats that arrive in SophosLabs via customers, partners and prospects. Beth has worked in Sophos's Boston lab for more than five years and brings nearly a decade of network security experience to Sophos.View all posts by Beth Jones
PopularRecentRelatedFacebook Profile Viewer rogue application spreads on social networkWant to see who has viewed your Facebook profile? Take care..Justin Bieber stabbed by a crazed fan? It's a Facebook scamFree Ray-Bans and TOMS shoes scams hit FacebookPython-based malware attack targets Macs. Windows PCs also under fireMicrosoft rushes out fix after hackers reset passwords to hack Hotmail accountsCan you see who viewed your Facebook profile? Scammers would like you to think soOops! Selena and Bieber's hidden camera bedroom video Facebook scam1 in 5 Macs has malware on it. Does yours?Internet doomsday on July 9th? Don't panic!Python-based malware attack targets Macs. Windows PCs also under fireOpinion: America is under cyber attack, so what should we do? Free Ray-Bans and TOMS shoes scams hit FacebookMicrosoft rushes out fix after hackers reset passwords to hack Hotmail accountsMobile phone carriers oppose law requiring warrants for location data The Legend of Zelda and dirty tricks by Android apps in the Google Play store36 websites selling credit card details shut down [VIDEO]VMware confirms hackers stole source codeInternet doomsday on July 9th? Don't panic!Facebook teams up with Sophos and other security vendorsSpam from Egypt vanishes after cutting off internet access
Which is more secure - Internet Explorer or Firefox?Internet Explorer users have low IQ? Media hoaxed by bogus researchGerman Government: Don't use Internet ExplorerInternet Explorer 6 u-turn for UK Home OfficeSuccessful internet blackout, Zuck tweets, but has Don McLean been ripped off?European Internet Explorer users invited to choose another browserInternet Explorer to upgrade automatically, unless you say noControversial SOPA bill gets more heat from internet giants YouTube, Google and WikipediaVideo postsMore videos this way
36 websites selling credit card details shut down [VIDEO]VIDEO: How to solve the RSA 2012 #sophospuzzleAndroid malware spreads via Facebook [VIDEO]Viruses and hacking, as seen on TV and in the moviesVIDEO: How to solve the #dragontattoo #sophospuzzleTwitter Feedduckblog: Hollywood hype meets US Federal Legislature - a most readable op-ed piece by @caroletheriault - http://t.co/yCTmjxwg11:25 PM April 27, 2012SophosLabs: Hyped-up Hollywood-style language kicks off Cybersecurity week in USA http://t.co/1vek2lIw03:19 PM April 27, 2012SophosLabs: Macs targeted by Python-based malware attack. Windows PCs also under fire http://t.co/9DMgxpdg (Keep Java patched!)02:30 PM April 27, 2012
TagsAdobeAndroidanonymousAppleBankingClu-blogCybercrimedata lossDDoSdenial of serviceEncryptionExploitFacebookFake anti-virusFirefoxGeneralGooglehackHackerhackingHoaxiPhoneITLulzSecMac OS XMalwareMicrosoftpasswordphishingPodcastPrivacyrogue applicationSafety onlineScamscarewareSecurityShameless plugSpamSurvey ScamTwitterVideovulnerabilitywebweb 2.0WWWCategoriesApple (366)Data loss (790)Featured (641)Law & order (736)Malware (2045)Mobile (291)Podcast (142)Privacy (702)Social networks (945)SophosLabs (1370)Spam (1405)Uncategorized (50)Video (254)Vulnerability (734)Archives by monthApril 2012 (74)March 2012 (98)February 2012 (103)January 2012 (89)December 2011 (72)November 2011 (96)October 2011 (103)September 2011 (105)August 2011 (117)July 2011 (104)June 2011 (116)May 2011 (87)April 2011 (78)March 2011 (102)More...
Download some free toolsFree anti-virus for your MacFree antivirus that works simply and beautifully Free file encryptionQuick and easy encryption for all your dataMore free tools...Take a look at our productsEndpointEncryption MobileNetworkEmailWebTry out our free trials and demos
Investigate the threatsVirus and spyware analysesThreat CenterInside SophosLabs © 1997-2012 Sophos Ltd. All rights reservedLegalPrivacy
var OBCTm='1328889400668';utmx_section("Test trigger")jQuery(document).ready(function($){ Gravatar.profile_cb = function( h, d ) { WPGroHo.syncProfileData( h, d );}; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wp-admin-bar-my-account' ); });