Anywhere from 250,000 to 500,000 computers worldwide may lose Web access Monday morning if their users don’t manage to remove malware called “DNSChanger” from their machines.
A massive public information campaign has been undertaken over the last several months to inform people about the virus and how to remove it, but thousands of computers remain infected.
People attempting to access the Web from infected computers will likely see an error message.
If that should happen, “they need to call their tech support, the computer guy in their family, or their ISP,” Rod Rasmussen, president and CTO of Internet Identity, told TechNewsWorld.
“There are tools that can help clean up infected computers,” he said. “This particular virus family is really difficult to fully pull out of the computer, so it’s important to make sure you have someone who is a professional who has thorough instructions for how to remove the malware.”
This saga began when a band of criminals created DNSChanger, which modified computers’ domain name system (DNS) settings so they would automatically redirect to criminally created sites; it also attempted to reset routers and other devices.
The arrests in November of six Estonian men accused of creating the malware put an end to the scheme, but because millions of computers remained infected, the FBI worked with industry representatives to set up replacement servers. The idea was to buy time to get the word out to the public about the malware.
On Monday, however, those replacement servers will stop functioning, and infected computers will not be able to access the Internet through named URLs.
It won’t be a digital disaster, but it could have been a true Web emergency back in November if the replacement servers had not been set up, since millions would have suddenly lost Web access without warning. The fact that those numbers have been whittled down to the thousands in the intervening months shows that the replacement server strategy worked.
“If they had just pulled the plug, you would have had a big event,” said Rasmussen. “Doing this allowed for a soft let-down. We would have had a bit of an Internet doomsday if they had pulled the plug back in November.”
Thanks to this public information campaign, in which everyone from Facebook to Google has participated, the number of affected computers has dropped dramatically, from millions to several hundred thousands.
Initially, many of the infected computers belonged to governmental agencies and businesses, though the clean-up campaign has reduced that number significantly. Internet Identity estimates that around 12 percent of the remaining infected computers are associated with Fortune 500 firms and 3.6 percent are in governmental agencies, though because of massive institutional cleanup operations, many of these machines are likely to be computers owned or used by individuals who work for those organizations.
Some of those computers still infected might even be dormant and not actively used by anyone.
“We think a lot of those computers don’t have someone behind them,” said Barry Greene, a principal security architect with GETIT and an industry volunteer with the DNS Changer Working Group, told TechNewsWorld. “They’re just sitting around. We’re keeping up [the information campaign] until the last minute, but what we’ll get is a few people making phone calls on Monday. And then we’ll see the day after that there’s just a bunch of computers out there not being controlled by anyone.”
More to Come
Computers still infected with DNSChanger have probably also had their virus software compromised, so they’ll need to be completely cleaned.
“The problem is that this virus turned off antivirus updates,” said Rasmussen. “People who have this probably have other viruses, as well.”
Though this has been one of the most visible malware cases recently, it’s not going to be the last instance of this kind of cybercriminal activity, noted Greene.
“It’s not just DNSChanger, but lots of others,” he said. “That’s the scary part. There are lots of others out there.”