DNSChanger: No, the Internet Isn’t Shutting Down on Monday

  • Share
  • Read Later
Getty Images

Dozens of news outfits are amping up this DNSChanger malware “event” on Monday with stories bearing apocalyptic titles like “Countdown to Internet Doomsday: Will Your Computer Survive?” or “How to Survive Internet Doomsday” or “End of the Internet? ‘Doomsday’ Virus Will Crash Thousands of Computers on July 9.”

My personal favorite: “Five Reasons DNSChanger Victims Deserve to Lose the Internet.” Because nothing says “helping bewildered consumers” like distorting what’s at stake to justify an almost gleefully callous (but eye-catching!) headline.

(MORE: DNSChanger: FBI Warns Infected Computers Will Lose Web, E-mail Access in July)

When I click on any of these, I half expect to find pictures of Bat Boy, his half-human, half-nocturnal mammalian mouth opening as if he were a cartoon opera singer hitting the money note, his hands at his face Macaulay Culkin style, his computer melting like the Wicked Witch into a pool of sludge.

What’s actually going down on Monday is far less theatrical.

No, the Internet isn’t shutting down. Not even close. What is happening is that the FBI will turn off a couple of servers (really, just two) that it originally set up to thwart the spread of an opportunistic and irritating but otherwise innocuous bit of malware.

And when the two servers do go dark, computers still infected with the malware — currently dependent on those FBI servers to access the Internet — will lose their ability to translate Web addresses into IP addresses. For these people — a number some are calling as high as half a million but that experts place at less than 250,000 worldwide (and well below 70,000 in the U.S.) — that means any network requests made using Web addresses won’t work.

I explained this in detail back in April, so here’s the Cliff’s Notes version:

In 2007, cyberthieves created malware, dubbed DNSChanger, that manipulated the way Internet ads appeared in infected computer browsers, allowing the cybercrooks to rack up millions in illicit fees.

The malware depended on a basic Internet principle called DNS (Domain Name System), which is how Internet routers know where to send your Internet requests — that is, how to translate a URL like http://www.time.com into a numeric IP address when you type it into your browser’s address bar.

Computers infected by DNSChanger had their local DNS information changed and were redirected to fraudulent servers that delivered Web-based ads that eventually channeled millions of dollars to the malware authors.

But the bad guys were caught last November and their servers seized. Given the number of infected computers, the FBI elected to leave the servers running sans ads, instead launching an awareness campaign to get users to disinfect before a shutdown date: July 9, 2012.

When the servers go dark, DNS-related Internet activity on any remaining infected computers will no longer work. How many people are we talking?

In a refreshingly sober piece, “Malware Monday: Much Ado About Nothing,” Eric Chabrow chats up DNS Changer Working Group (DCWG) spokesman Barry Greene (whose job it is to warn people about the malware, mind you):

Think about it: Various estimates place the number of PCs worldwide at between 1 billion and 2 billion. That means the 250,000 or so still-infected computers represent fewer than 2-100ths of a percent (0.02 percent) of all PCs in the world. That’s about the number of PCs a botnet hunter commandeers in a single day, Greene says, adding: “It’s no big deal.”

Here’s the deal. If you haven’t already, click this simple infection checker, run by DCWG, to determine if your computer has the malware (you’ll get an instant thumbs up or down). If not — celebrate good times! — you’re free and clear.

And if you are infected? No need to go all Dr. Peter Venkman like the rest of techdom; just be sure to visit DCWG’s “fix” page today (or by this weekend) and follow a few simple, undramatic steps to cleanse your computer.

MORE: FBI, Estonian Police Shut Down $14 Million Botnet Scam

30 comments
Sort: Newest | Oldest
lokiii
lokiii

People have had more than enough time to get this sorted out on their machine.  By the way if anything ever causes your antivirus software to quit working you have a problem.  If the software does not show as running in the tray at the bottom of your screen or it cannot get updates if you manually tell it to, you have a problem.  If you are hopeless with computers, you can take it in.  If you have a little savvy, you can get free antivirus software online, that will clear your computer.  Things like "Trend Housecall", TDSSKiller,  and Malwarebytes are your friend.  If your computer absolutely refuses to boot,  get a friend to download Kaspersky rescue disk and burn it to CD.   Boot your computer from the CD (this is done by hitting one of the function keys at startup ex: F11).  This CD has its own little operating system and all the antivirus software so you can clean your machine without the virus fighting you.

amydon
amydon

 btw .....I  have received my first check only  working home using my computer, I've seen a lot of comments clamming  so and I didn't believe it at first,

But guess what,it turns out they were for REAL, all I had to do was following the steps exposed on this web page >>> http://0rz.tw/hHcIP

 

slozomby
slozomby

rather than simply pointing all dns requests for the infected to a single page that displays "you computer is infected, contact your isp" they kept serving valid dns. this makes no sense. 

Mujokan
Mujokan

The size of the problem has always been known, because they can simply count the addresses coming into the replacement DNS servers. For a couple of reasons, this may be slightly too low, but they know how many computers are affected pretty accurately.

Hack tabloid journalists always hype up everything (by definition), which I guess we should be used to by now. There have been some inaccurate and scary headlines, but generally the story has been reported reasonably in terms of the numbers affected.

Viruses used to be a big deal ten years ago or so, then it seemed to me like the problem decreased as software programmers adapted. Viruses aren't so common these days it seems, but other types of malware such as the TDSS rootkit and this DNSchanger trojan (spread by that rootkit in some cases) are becoming a more serious problem.

Even if you don't have this malware, remember to check thoroughly for others! Especially if you are on Windows.

One interesting aspect of this story has been all the comments from people who think the FBI is going to get them if they go check for the malware. The amount of paranoia in America is incredible. The FBI has no use whatsoever for a list of IP addresses hitting some website. There is nothing they can do with it.

Tin Man
Tin Man

Kinda hope Matt Peckham's PC is one of the infected ones.  Then maybe we won't have to hear any more from him. People that say they know everything really annoy us that do.

Irwin Busk
Irwin Busk

The FBI should never have put up temporary servers, to clean up after the malware. Yes, there would have been many, many inconvenienced internet users. But to draw an analogy, If my car has a recall, is it the job of the feds to give me a loaner car ? No. If they had not put up the temporary servers. everybody would have had their systems fixed and cleaned LONG ago.

6Zincstop9
6Zincstop9

Lila, i'm hammered and i still managed to access the site…. IP is fine.

Chris K
Chris K

  This is just one of about 4,000,000 bugs which can effect PCs, not

using Linux.  US Government funds should not have been used in any way

to run a hackers computer to cushion the blow to private PC users who

don't keep their systems clean.  In the last few days too many media

outlets have been spreading Fear, Uncertainty and Doubt, needlessly.  If

you can't get online, get your computer fixed! Simple!

f_galton
f_galton

I think a lot more than the internet is going to be shutting down on Monday, I've seen a huge uptick  in chemtrails and unmarked helicopter activity lately and the yesterday  I spotted a convoy of trucks going into the local FEMA base.

Steven Murday
Steven Murday

this will only affect infected personal pc's right? not the banks or any other pc's right? i mean whats the worse possible outcome? 

Christopher Kidwell
Christopher Kidwell

Banks computers run the same operating system as most consumer PC's do: Windows, from what I have seen. It's just a super-locked down version of Windows on the ATM machines in most cases.

Mason Bogert
Mason Bogert

What I don't understand is why the feds can't track down people using the servers and contact them...

zaphodb
zaphodb

Because all they get is the public IP, which, in most cases, has multiple users behind it. The ISPs HAVE, in many cases, been notifying the contacts they have for the IPs, but that isn't always reliable.

For people running a network of any size, it is pretty much impossible to visit every internal machine, especially when you're dealing with laptops that come in and out of the network.

For those who need to find out what systems in a network are still

infected, ThreatSTOP has a log parser on their site to sift through any

logged traffic (firewall, ids, netflow) and identify any traffic to/from

the sinkhole servers.

This will allow sysadmins to identify any internal hosts still infected.

Georgia Gier
Georgia Gier

Thank you for explaining it for what is really is and making it easy to check without inducing borderline panic!

Gentler_Reader
Gentler_Reader

"Here’s the deal. If you haven’t already, click this simple infection checker,

run by the DNS Changer Working Group (DCWG) to determine if your

computer has the malware (you’ll get an instant thumbs up or down). If

not — celebrate good times! — you’re free and clear."

Uh huh. Easy as pie... IF you can connect to the page, that is. All I get is repeated error messages.

Matt Peckham
Matt Peckham

Maybe (the site's being) hammered? Looks like it's up now, but alternatively, you can go here for a list of check pages:

http://www.dcwg.org/detect/

LILA KIRKLAND
LILA KIRKLAND

 "Maybe hammered?"

This is the first time I have read your reporting. Your response to Gentler_Reader is sarcastic and offensive. Is this your general response to your readers? I expected more from a TIME reporter. Not only was this the first time I read your material, it is also the last.

vikingstork
vikingstork

 LILA -- you gotta be kiddin' us. Do you feel so important, you read into every reply to find offense, real or imagined? The reply was absolutely NOT sarcastic or  offensive. (BTW it's "reply", not "response"), maybe it's your ignorance (offense intended) of computers and computer culture.

And assume if you choose not to read Matt Peckham's "responses", (har), the TIME magazine will collapse?

Read more: http://techland.time.com/2012/...

CD47
CD47

Whoa!. Where's the need to be rude, Lila?  What a headlong rush to judgement! "Hammered" in this context merely means that the site is being excessively hit with a huge influx of users. A graceful apology to the author would be nice to see.

Steven Murday
Steven Murday

 lol, likely he isn't used to pc lingo amp; may have already been in a bad mood before commenting , im just glad there's more detailed info on whats going down then just whats on fbook. cause fbooks making it sound much worse.. i checked amp; good to go amp; have re-posted this page amp; the detect page to fbook to help clear up some of the confusion =)

Michael Stohler
Michael Stohler

 Lila,

 Take a chill pill! You are awful quick to judge someone. He is OBVIOUSLY trying to help people out. You are just rude!

Ana ToeGoddess Hernandez
Ana ToeGoddess Hernandez

If you do not know enough internet lingo to keep from looking like a fool, you really should not be on the internet. You really owe the author of this article, that you made a rude comment to because of your ignorance,  an apology.

Foo Bar
Foo Bar

LOL. Considering how easily offended you are by completely innocuous words, going away from the internet is probably your best option.

Paul Han
Paul Han

Hammered is common internet lingo when a server is being accessed by too many people at once. There was no sarcasm and no ill will intended.

Matt Peckham
Matt Peckham

Hi Lila, I just meant maybe the site was getting hammered, that's all. Sincere apologies if I (unintentionally) caused offense.

Y2K3
Y2K3

I took the "maybe hammered" comment to mean that the website is likely not responding due to an influx of people using it. I assume that you thought that he meant that the first commenter was "hammered," whatever that might mean (drunk?). Regardless, please keep in mind that context is sometimes hard to read just from text.

Gentler_Reader
Gentler_Reader

I checked my IP a long while ago and it's fine. I'm just letting you know that the site you're recommending was not functioning.