On Monday morning, you may not be able to log on to the Internet. The FBI plans to discontinue a safety net it set up to protect
computer users from a hacker group that had been surreptitiously redirecting PCs to Web sites they operated.
The DNSChanger virus affected well more than a half-million computers when the FBI and other authorities took down the international cybercriminal ring last winter. At that point, the FBI was left with a quandary: The virus redirected PCs to DNS Internet servers operated by the ring, and if they were disconnected suddenly, those PCs would no longer be able to use the Internet.
So, the FBI arranged to replace those servers with ones that operated correctly, as a safety net to give computer users time to rid their PCs of the virus.
But now, time is up. Those servers cost the government money, so they're being disconnected Monday, July 9.
At this point, the FBI estimates more than 277,000 computers worldwide remain infected, with about 63,000 of those in the U.S. That's a tiny fractional percentage of the billions of PCs worldwide, but thousands nonetheless.
DNSChanger was a Trojan created by cybercriminals to redirect the Internet traffic of millions of unsuspecting consumers to Web sites where the thieves profited from advertisements.
Understanding the Problem
Domain Name System (DNS) servers convert user-friendly Web site names into the numeric Internet Protocol (IP) addresses that computers use to talk to each other. When users enter Web site names into their browsers, their computers contact DNS servers.
If users' computers have the wrong settings to find those DNS servers, they will not be able to access Web sites, send e-mail or use Internet services.
Serious Threat or Not?
Gunter Ollmann, VP of research at Damballa, a company that specializes in advanced threat-protection software , told us the DNSChanger malware was successfully operated by criminals for quite some time before the FBI took it down.
"The DNSChanger malware silently altered key settings on the victims' computers, allowing the criminals to monetize the way their victims surfed the Web," Ollmann said.
"As to the seriousness of this situation, in the grand scale of Internet crime and the monetization of victims, DNSChanger is not a serious threat," he said. "But it is an interesting footnote in the success of law enforcement actively taking down a large botnet."
While the DNSChanger was able to make illegal profits for the cybercriminals behind it, it wasn't as threatening as malware that steals user identities or withdraws money from online bank accounts.
Still, the threat of losing Internet access Monday is a real one for the thousands who will be affected. Reports indicate PCs and Macs are vulnerable, but not Linux, and not mobile devices.
Security software-maker McAfee has released a free tool to check your computer and help those who may be infected by the 'DNSChanger' Trojan. Checking now will help you stay connected after the safety-net servers are shut down by the FBI on July 9.
Available at www.siteadvisor.com/dns_checker.html, the tool helps users identify whether they have been affected by the malware and offers a free solution if they have been infected.
"Identifying and changing these settings manually can be difficult," said Vincent Weafer, senior vice president at McAfee Labs. "By providing a free tool that walks them through the process, we're making it easy for consumers to fix their settings and stay connected."
Another easy way to check is courtesy of a Web site the FBI set up in cooperation with public and private security experts. That site is www.dns-ok.us -- operated by the DNSChanger Working Group -- and it has a tool to check your device, as well as resources for working with your provider to get rid of the virus and stay connected.
Green Is Good
At the DNS-OK.us site, if your computer is safe, you'll see a notice that says, "DNS Resolution = GREEN. Your computer appears to be looking up IP addresses correctly!"
The notice goes on to say: "Had your computer been infected with DNS changer malware, you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected."
The notice ends with a link to the FBI's website for additional information regarding the DNS changer malware.