OFF THE WIRE
DNS Changer Check-Up
In 10 days, there's a chance you will not be able to access the Internet on your personal computer. No email, no Facebook, no Google, no Twitter — nothing.This potentially dire situation is due to the nasty DNSChanger Trojan, and the fateful date of July 9, on which the FBI is set to take all computers still infected with the malware offline for good. The date is being dubbed "Internet doomsday" for those who don't take action.
Launched by Estonian cybercriminals, the DNSChanger malware infected Windows PCs, Macs and routers across the world and enabled the crooks to hijack victims' Web traffic and reroute it to rigged sites. After the FBI, in "Operation Ghost Click," busted the criminals last November, the FBI set up surrogate servers to keep the computers infected with the Trojan temporarily online so users could clean them. But on July 9, those surrogate servers are coming down.
[Will the FBI Shut Down My Computer? Questions and Answers]
This is bad news for anyone whose computer is still harboring the malware. According to a new report from Internet Identity,that unfortunate group, which at the time of the FBI sting was made up of 4 million computers and routers worldwide,still includes 12 percent of the Fortune 500.
In his Krebs on Security blog, researcher Brian Krebs cites a statistic from the DNSChanger Working Group, which estimates that more than 300,000 computers are still infected with the malware.
"That number is likely conservative," Krebs said. "The DCWG measures infections by Internet protocol (IP) addresses, not unique systems. Because many systems that are on the same local network often share the same IP address, the actual number of DNSChanger-infected machines is probably quite a bit higher than 300,000.
In the past few weeks, both Google and Facebook have undertaken notification campaigns efforts to warn those who may still be infected with the Trojan. But if you didn't receive a warning, it doesn't mean you're in the clear.
There are ways to eradicate the DNSChanger from your system before July 9. Here's how, in three easy steps.
First, you'll need to change some settings on your computer. Click here for instructions on how to do so. That will make sure you're still able to get on the Internet when July 9 rolls around.
Step two is to run strong anti-virus software that will clean up your computer. You'll probably have to pay for the software. Here's a list of recommended anti-virus software products.
The third step is to check your system again; if you're still seeing the Google alert, check the DNS Changer Check-Up.
If you know your car might explode and crumble into a burning mass of parts in less than two weeks unless you got it serviced, you'd probably get it serviced, right? Do the same with your computer.
Will the FBI Shut Down My Computer? Questions and Answers
UPDATE: The cutoff date is now July 9, 2012, but everything else in this article still applies -- and word is there will definitely not be another extension.
You may have heard recently that the FBI will be "turning off the Internet" on March 8 for millions of computer users. That's not quite the case, but it's still a serious situation.
To clear up the misunderstandings about this problem, we've put together a list of frequently answered questions.
Will I lose Internet access on March 8?
Probably not. But to be sure, point your Web browser to http://dns-ok.us/ to find out. If you see green, you're fine.
What if I see red?
Then you've got a problem. The first thing to do will be to change some technical settings on your computer. Click here for instructions on how to do so. That will make sure you still have Internet access when the fateful day comes.
The second thing to do will be to update and run strong anti-virus software that will clean up your machine, because these particular malware infections are pretty nasty. You'll probably have to pay for the software. Here's a list of recommended anti-virus software.
I'm using a Mac. Do I need to worry?
Yes. There are many forms of malware involved, and some affect Macs as well. Here's a list of Mac anti-virus software.
Any chance the deadline will be extended beyond March 8?
Yes. The government has asked a judge to extend it to July 9 — you can read the motion here — but many security professionals would like to stick to the original deadline.
Why? That seems awfully mean.
It's not really. The infected computers have to be cleaned up sometime, and it might as well be sooner rather than later.
But I'm only hearing about this now!
The mainstream press started reporting on this last week. In any case, you've still got time to fix the problem.
I'm still confused. What exactly happened?
(Deep breath.) For about five years, a cybercriminal ring based in Estonia ran a "clickjacking" scam that paid it every time people clicked on online ads it had placed. To boost revenue, the gang used various kinds of malware to infect millions of computers worldwide.
I don't get it.
Follow me here. The malware changed the infected machines' settings so that people searching for various things online would be redirected to webpages that the criminals controlled, and on which the criminals had placed the ads that made them money. Here's a YouTube video that shows how it worked. (Despite what happens in the video, the malware affects Firefox too.)
So what's wrong with that?
It doesn't sound so bad at first, but the gang defrauded online ad-placement companies of about $14 million over five years. Even worse, the gang's malware often disabled anti-virus and operating-system updates on the infected computers, leaving them vulnerable to other kinds of infection.
Wow. How many people were affected?
About four million computers were infected worldwide, including about a million in the U.S. The FBI explains it all here.
How did the malware infect computers?
Through "drive-by downloads" from infected Web pages, and through Trojan horses such as phony online-video software downloads.
How many people are still infected?
We don't know for certain. One estimate is that 500,000 U.S. users could lose Internet access on March 8. Another oft-cited figure states that half of the Fortune 500 companies have at least one infected computer, but if you read between the lines that could mean as few as 250 PCs.
I still don't get it. How did the infection affect Internet access?
When you type in a Web address, your computer doesn't actually understand what you're asking for. Instead, it looks up what you typed in on what's called a Domain Name System server, which tells your computer where to go. Most computers use the DNS server supplied by their Internet service providers.
I'm lost already. DNS what?
Think of a DNS server as a phone book that every Internet service provider has a copy of.
Okay. So the bad guys changed the phone books?
Exactly. And the fake phone books took infected computers to rogue websites where the bad guys put up ads.
Will this affect email as well?
Yes. DNS servers also translate Internet addresses for email software.
So what does the FBI have to do with this?
The Estonian gang was finally busted in early November of last year in what was called "Operation Ghost Click." Here's the indictment if you want to read it.
The FBI shut down the rogue DNS servers — there were about 100 of them — but in order to keep all those infected users online, it got a court order to keep the fake phone books in place for another four months.
And that court order expires March 8?
Bingo.
So what happens then?
The fake phone books get taken offline and, because they'll no longer be able to translate Web addresses, so will all the infected machines still relying on them.
Why can't the FBI just keep them up longer without a court order? After all, they're part of the government.
The FBI isn't actually running those servers. That's being handled by a non-profit company in Silicon Valley which isn't in the business of law enforcement, and it doesn't want to step into murky legal territory.