Remove DNSChanger Malware Or Lose Internet Access
July 5, 2012

Remove DNSChanger Or Lose Internet Access

Will This Monday Become Malware Mania Day?

John Neumann for - Your Universe Online

Warnings have been splashed across Facebook and Google, internet service providers have sent notices, and the FBI set up a special website. However, tens of thousands of Americans may still lose their internet service Monday unless they check for (and remove) malware on their computers that may have installed itself on their machines more than a year ago.

The Associated Press reports that more than 277,000 computers worldwide are expected to be affected, down from an estimated 360,000 earlier this year. Of those still believed to be infected, the FBI estimates about 64,000 are in the United States.

Infected computers will lose their ability to go online. They will also have to call their service providers for help deleting the malware and reconnecting to the internet.

The FBI will be pulling the plug DNSChanger servers next week, potentially leaving thousands of people without web access, but experts generally agree that such “tough love” is necessary to protect the internet.

The DNSChanger malware and botnet was shutdown in November last year, following an FBI-led investigation that saw the US police agency confiscate the accused cybercriminals´ hardware. DNSChanger does exactly what the name suggests, fiddling with DNS settings to maliciously redirect users via its command and control servers to different sites.

On Monday, the FBI will shut down those servers, leaving as many as 300,000 PCs worldwide - and 19,589 in the UK, as of last month - with the wrong DNS settings and unable to access the web, unless they take the unusual step of directly entering IP addresses into the browser.

Security firm BitDefender said infections remain at government organizations as well as Fortune 500 companies, but F-Secure´s security advisor Sean Sullivan expects most of the afflicted computers will be further down the chain, reports Nicole Kobie for the website PC Pro.

“My suspicion is a lot of those [infected] machines are going to be tucked away in small/medium businesses, and no-one´s really paying close attention to it,” Sullivan told PC Pro's Nicole Kobie. “Some sort of group-use machine that has gotten infected and no one is taking responsibility for the thing.”

The servers were initially to be shut down in March, but the FBI extended the clean-up period until next week.  That doesn´t look likely to be extended again - and Sullivan doesn´t think it should be, saying it was time for “tough love”.

“The botnet is pretty much disabled, but if your machine is infected, it´s compromised — it´s an indication that the person who owns the computer doesn´t know it´s infected,” he explained. “They never learn to patch up the machine, so it´s vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.”

“Cutting them off would force them to get a hold of tech support and reveal to them that they´ve been running a vulnerable machine that´s been compromised,” he added.

Facebook and Google both have crafted their own warning messages that showed up if someone using either site appeared to have an infected computer. Facebook users would get a message that says, “Your computer or network might be infected,” along with a link that users can click for more information.

Google users got a similar message, displayed at the top of a Google search results page. It also provides information on correcting the problem.