May 23, 2012

Google Trying To Help DNSChanger Malware Victims

Lee Rannals for RedOrbit.com

Google is using a Domain Name System hack to let people who are infected with the DNSChanger malware know when their Internet connection is going to go dead.

Google designed the hack to let those people know their Internet connections will stop working on July 9, which is when temporary servers set up by the FBI to help DNSChanger victims will be disconnected.

"The warning will be at the top of the search results page for regular searches and image searches and news searches," Google security engineer Damian Menscher told CNET. "The text will say, 'Your computer appears to be infected,' and it will give additional detail warning them that they may not be able to connect to the Internet in the future."

DNSChanger attempts to modify the settings on home routers as well, meaning other computers and mobile devices may also be affected, according to a Google blog post.

The malware was active until an FBI investigation called Ghost Click resulted in six arrests last November.

The FBI and Estonian law enforcement arrested a group of people and transferred control of the rogue DNS servers to the Internet Systems Consortium in November 2011.

The malware sent infected computers to DNS servers that redirected millions of victims to websites that they had never intended to visit.

Once the faulty DNS servers were found, the Internet Systems Consortium replaced the servers with the help of a court order.

Paul Vixie, founder of the non-profit ISC, said that 500,000 devices were still connecting to the temporary servers.  Once the court order expires on July 9th, hundreds of thousands of victims will be left without an Internet connection.

Internet Service Providers have tried alerting victims, but their success has been insignificant because notifications are usually in English and only half of the affected users speak English as a primary language.

Google said it will try notifying victims within a week in their preferred language, and provide some recommendations to clean the devices and restore them back to their proper DNS servers.

The company said it plans to alert victims through a method it executed last summer to remedy a separate attack.

"Some users may need to seek additional help," Menscher said in a blog post. "These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."


On the Net: