DNSChanger Doomsday Threatens To Take 300,000 Off The Web

As many as 20,000 machines in the UK could be cut off the net when the FBI pulls the plug

The FBI has today switched off the servers used by the DNSChanger malware gang, meaning hundreds of thousands may be forced off of the Web.

Those still infected will be unable to use their browsers normally, as they will not be running through DNS servers that translate a typical URL (e.g. techweekeurope.co.uk) into the IP address of a website’s servers. Instead, they will be connecting through servers set up by the gang to enable a money-making fraud, which the FBI has had to keep running or else users will be left high and dry.

The FBI said around 64,000 Americans were in danger, whilst the last count from the DNSChanger Working Group (DCWG) showed 19,589 British systems were infected with the malware. That made Britain the fourth most infected nation behind Italy in second and India in third.

Yet a Pastebin release, tweeted by F-Secure’s Mikko Hypponen, claimed there were only around 5000 British systems infected, compared to 47,000 in the US.

Overall, there are believed to be between 250,000 and 300,000 machines still infected with the malware, but it is unknown how important those systems are.

“We’ve been using the last eight months to go out and clean up the infected computers, but we don’t have everybody,” said supervisory special agent Thomas Grasso of the FBI’s Cyber Division. Grasso said he hoped that people “follow our recommendations to: one, determine if they’re affected by this; and then two, fix the problem.”

Get protected

For those concerned, head to this FBI blog post, which contains links to all the resources users need to stay online. A number of anti-virus firms have released free software to help too, including Intel-owned McAfee and Russian firm Kaspersky.

Some have warned that the panic surrounding DNSChanger could play into scammers’ hands too. “We may also see malware, spam, or scam campaigns associated with news about the DNSChanger malware,” Websense said in a blog post. “As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSChanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.”

Users have been given plenty of warning since November, at the end of a successful operation that saw the FBI and its international partners charge six individuals with conducting a sophisticated click-fraud scheme using DNSChanger. The operators were thought to have pocketed at least $14 million until they were caught.

The DNSChanger malware was running on many thousands of systems, which could only connect to the Internet using the crokks’ servers, so the  FBI was compelled to keep the DNSChanger servers running. The Bureau has since delayed the cut-off date from March to July over fears that businesses would be left without normal Internet access.

Are you a security boff? Try our quiz!