Come Monday, there will be some people who won’t be able to get on the Internet from their computers. Will you be one of them? Hopefully not.
According to the latest FBI estimates from July 5, approximately 64,000 computers in the United States are expected to lose Internet access when the temporary Domain Name System servers are shut down July 9. The number is closer to 300,000, worldwide, with the top infections in the US, Italy, India, and Great Britain, Vikram Thakur, principal security response manager at Symantec, told Security Watch.
Wait, Why?
As PCMag previously reported, computers infected with the DNS Changer Trojan have been using rogue DNS servers instead of the default servers specified by their company and Internet service provider. DNS servers act as a phone directory for the Internet, translating domain names (say, PCMag.com) to the server’s numeric address, and routing users to the correct website. The cyber-gang behind the malware was using rogue DNS servers to direct users to alternate sites.
After the gang was arrested in 2011, the Federal Bureau of Investigation obtained a court order allowing them to operate DNS servers with those IP addresses so that infected computers can remain online while they got cleaned up. The original cleanup deadline was in March, but has been extended to July 9. On Monday, that court order will expire and the servers will be shut down, leaving infected computers with no DNS server to send their Web requests.
“An educated guess is that the infections are primarily home or small business users,” Thakur said.
Cleanup Efforts
Considering the malware originally infected close to 1 million computers, coming down to 300,000 is pretty good. But according to the DNS Changer Working Group statistics, the number of infected machines has been stalled in this range since about mid-May.
It’s possible that some of the users are aware of the infection but have had no luck with the cleanup process. Perhaps they manually checked their computer’s DNS settings and didn’t see any malicious IP addresses, or they ran security scanning software and came up empty. The likely culprit, then, is that their routers were infected. PCMag’s Samara Lynn has put together a very simple guide to checking and fixing the home router to get back online.
It’s also possible that the owners of these yet-to-be-cleaned up computers don’t even know about these machines. Most infections began as a drive-by download, which seems to imply most infected machines are end-user desktops, Dan Brown, director of security research at Bit9, told Security Watch.
But DNS Changer has been around for a few years, and some of these devices may have been infected one or two years ago, Gunter Ollmann, vice president of research at Damballa, told Security Watch. Those devices may be “no longer used today as they were then,” Ollmann said. These are machines that haven’t been updated recently, have not browsed to popular sites recently, and network administrators might not know where the computers are physically located.
They will “only be noticed when they stop working for some reason,” Ollmann said.