DNSChanger: FBI Warns Infected Computers Will Lose Web, Email Access in July

  • Share
  • Read Later
Richard Nowitz / Getty Images

There’s a story circulating that if you don’t ensure your computer is malware-free by July 9, 2012, the FBI will shut off your access to the Internet. Like most such alarmist claims, it’s only partly true, though if you’re a Windows or Mac user, you’ll want to pay attention.

The original story dates back to 2007, when a group of cyber-ne’er-do-wells launched malware dubbed “DNSChanger,” infecting millions of computers in hundreds of countries with code that allowed them to manipulate the way Internet ads appear in browsers, ultimately racking up millions in illicit fees.

(MORE: FBI, Estonian Police Shut Down $14 Million Botnet Scam)

How did the malware work? DNSChanger targets Windows or Mac systems (Linux, iOS and Android users are in the clear) by manipulating Domain Name Servers (DNS), which translate syntax-based URLs into IP addresses. When you type something like “www.yahoo.com” into your browser, for instance, your request hits your Internet service provider’s DNS server, which translates it into a numeric IP address. If you plug that IP address into your browser’s URL bar in lieu of the web address, barring any IP tricks, you’ll land on the exact same web page. The Internet’s underlying architecture is based on TCP/IP, in other words, not the more easily remembered words we type into our browsers.

DNSChanger fiddles with that DNS routing: Once a computer was infected, the malware redirected DNS-related requests to servers controlled by the fraud ring, which then piped web ads to users, ultimately putting millions of dollars in the cybercriminals’ pockets.

Working with Estonian officials, the FBI was able to track down the perps — six Estonian nationals were arrested for the crime last November — and seize their servers. But given the number of computers estimated infected, the FBI opted to leave the servers running, ad-neutralized, to avoid disrupting Internet functionality for those unaware their computers were compromised. And to give users more time to purge, the FBI secured a court order on March 12, 2012 that authorized the Internet Systems Consortium (ISC) — a nonprofit corporation that supports the Internet’s infrastructure — to roll out and maintain temporary “clean” DNS servers. But since these servers cost money to operate, the plan has been to shut them off on July 9, 2012. When that happens, DNS-related Internet activity on infected computers, e.g. web and email, will cease to function.

To be clear, your Internet service itself will be unaffected by the change: If your computer is infected with the DNSChanger malware, your Internet router will keep routing and any commands sent by your computer that aren’t DNS-related will still pass. The FBI isn’t shutting off Internet service to impacted machines, it’s just pulling the plug on a stopgap measure designed to bandaid the broken process currently facilitating DNS communication on infected machines.

How do you tell if you’re infected? Simple: The FBI runs a DNS checker page, where you can type your DNS info into a box to check its validity. Easier still, you can click on a link that’ll automatically check and return either a green or red background, indicating “clean” or “infected” states, respectively. Alternately, the DNS Changer Working Group (DCWG), created to help remedy the malware, maintains a page with detailed information on the malware, how to detect it and how to remove it, including a table of links to popular antivirus company remedies.

MORE: Apple Has Its Own Flashback Malware Removal Tool in the Oven