Internet Doomsday and DNSChanger: do not fall to the Doom

25 Apr 2012

On 9 July the FBI are threatening to pull the plug on a server that is costing them too much but which protects more than 300,000 computers worldwide infected by an insidious piece of malware. So how do you avoid Armageddon if your computer has been infected?

The malware that is understood to have infected 500,000 PCs and Macs originated with an Estonian crime gang the FBI broke up in November.

It is understood that the cyber security team at Trend Micro’s operations in Cork played a key role in “Operation Ghost Click” to help apprehend several individuals in Estonia and Russia.

These cyber criminals manipulated internet websites and advertising to generate at least US$14m in illicit fees. Using malware known as DNSChanger, the scammers redirected users to rogue servers, which sold fake pharmaceuticals and security products, among other items.

The virus first emerged in 2007 and hijacked computers without users’ knowledge and generated fraudulent clicks on ads.

An FBI-run “DNS Checker Page” that allows users to see if they have the virus and remove it is apparently costing the bureau thousands of dollars to run each month and it wants to turn it off on 9 July.

By doing so this will expose 350,000 computers in the world that still carry the malware.

So, what will Internet Doomsday look like?

While it has been described as the internet’s doomsday, what will actually happen?

According to the FBI, those users’ computers whose domain name server (DNS) settings have been warped by the crime gang’s malware will no longer be protected and they could lose their internet connectivity. In effect, they won’t be able to reach DNS servers or websites.

“To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose internet connectivity at that time.”

How to survive Internet Doomsday

So, in effect, the potential loss of 350,000 connections won’t hurt the internet per se, but will be intensely frustrating for internet users who lose their connections.

It is understood that the DNSChanger virus is accompanied by a root kit that is hard to remove and could involve users having to wipe their machines and reinstall their software.

However, there are tools available from security vendors, including Norton, Kapersky, Trend Micro, Microsoft, McAfee and others, to help remove the rootkit without reformatting your computer.

If you are concerned your computer may be harbouring the virus, the DNSChanger Working Group has some handy online tools to detect and remove the virus.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years