Malware DNSChanger Threatens Thousands Of Internet Users With A Black Monday: How To Avoid Attack

  on July 06 2012 5:40 AM

July 9, 2012, may be a Black Monday for Tens of Thousands of Internet surfers when the FBI disconnects domains affected by DNSChanger Malware, according to Wired.

The DNS Malware infected more than half a million computers globally at its height, Wired reported, redirecting victim's Web browsers to sites chosen by the malware's masterminds, earning them more than $14 million in affiliate and referral fees. The malware also prevents victims from downloading operating system and anti-virus security updates that could detect and disable the malware.

According to PCWorld, approximately 275,000 PCs are at risk of losing Web access when the DNS (domain name) servers the FBI has operated to redirect affected computers to legitimate websites will be turned off.

Eight months ago, the FBI busted an Eastern European organized group of cybercriminals, PC World reported. The FBI then redirected traffic from compromised machines, which attempted to contact the hackers' chosen Web sites, using surrogate DNS servers.

Experts are urging users to run diagnostic tests offered by legitimate security experts before Monday. Efforts are also being made to shut down a suspicious temporary server network.

A concerted campaign by a coalition of tech security groups, along with online giants Google and Facebook, have sought to warn users against the attack and the impending blackout.

Federal authorities and a non-profit group helped users with infected machines regain access to the Internet by replacing the hackers' servers, through which victim's Internet traffic was directed, with the FBI's servers after the FBI busted the cyberthieves.

Google and Facebook employed different technical methods to determine which machines may carry the DNSChanger infection, and they alerted users to the potential malware attack. Both companies are interested in stopping the attack, though they are not directly affected by the malware. However, they depend on advertising revenue and have an interest in combating false ad campaigns.

How The Malware Affects Users

When infected machines try to access certain websites, including those owned by federal government (such as www.fbi.go), the malware directs requests to rogue servers controlled by a ring of cyber thieves. These servers in turn redirect requests to other rogue sites.

For instance, requests to access legitimate websites, like those of Apple and Netflix, may be directed to ecommerce sites that sell unauthorized products. In other instances, users may be redirected to legitimate sites but shown ads from businesses engaged in not-so-legitimate transactions.

How The FBI Tried To Curb The Menace

Soon after breaking up the ring, authorities found that requests from affected machines were being sent to rogue servers or nowhere. In the aftermath of the arrests, the non-profit Internet Systems Consortium was brought in to operate replacement servers on a temporary contract to help affected users disinfect their computers.

Reports indicated that four million computers were infected by the malware globally and 500,000 in the U.S. alone. However, this number was reduced as the Internet Systems Consortium notified service providers of users with infected machines.

Google has joined with the Consortium to direct requests from infected machines to a special Internet address where users will be warned about the malware. Experts state that some infected machines may no longer be in use.

How To Scan Machines To Check For Infection

Several free scanning tools and services are available on the Web, including those made available by the nonprofit DNSChanger Working Group at www.dns-ok.us. There is also a free scanning service offeredc by security software seller McAfee at www.mcafee.com/dnscheck.

Join the Discussion