Skip to Content
Uncategorized

No Web for Hundreds of Thousands on Monday

Starting that day, computers still infected with the notorious DNSChanger malware will be unable to connect to websites.

Hundreds of thousands of people are likely to be confused on Monday when they fire up their home or office computers and can’t connect to the Internet. Their network connections will be fine, but attempts to visit their favorite domains will be fruitless.

These people will be the unfortunate leftover victims of the DNSChanger botnet. Between 2007 and October of last year, the DNSChanger virus infected four million computers in 100 countries, according to the FBI. Often without the victims’ knowledge, the computers were turned into drones that were instructed by rogue servers to visit websites and click on ads in a scheme to generate fraudulent advertising revenue.

Last November, the FBI apprehended a group of Estonian nationals allegedly behind the plot and seized the botnet’s so-called command and control servers, which were located in New York and Chicago. But whereas past botnets have been disabled by eliminating such servers, the authorities couldn’t do that with DNSChanger: because of the particular way the DNSChanger virus did its damage, “that would have been the same as if the Internet was suddenly broken for millions of people,” says Dave Monnier, a fellow at Team Cymru, an independent group of computer security researchers.

Once inside a system, the malware modifies the settings that tell the computer which domain name system (DNS) server to contact. DNS servers, many of which are owned and operated by Internet service providers, connect users who type in or click on domain names with the specific IP addresses corresponding to the destination sites. Computers infected with DNSChanger instead contacted DNS servers controlled by criminals, who had programmed them to send users to phony domains or replace legitimate display ads with shady ones.

In one example, when users of infected computers typed in the domain name for iTunes, they were sent to a website for a business unaffiliated with Apple that claimed to sell Apple software. In another, users visiting Amazon.com were surreptitiously served an ad for an e-mail marketing service instead of the Windows Internet Explorer ad they should have seen. Through these and other similar schemes, the conspirators racked up page views and click-throughs to the tune of $14 million in advertising revenue, U.S. authorities allege.

Rather than eliminating the DNS servers to which millions of computers were still connecting, federal agents replaced them with legitimate ones. That is no cure for the virus, but the replacements have sustained connectivity for infected machines and provided time for an industry consortium called the DNSChanger Working Group (which includes Monnier’s Team Cymru) to identify IP addresses from infected computers and attempt to notify their users. In March, a federal judge extended the notification period until July 9. (As of late June, more than 200,000 IP addresses were still affected, but since many devices can use the same IP address, the number of infected machines is probably much higher.)

Removing the malware requires one of a specific set of software tools, which could be a headache to procure without an Internet connection come Monday. And yet it’s far from assured that all people whose computers are affected will find out before then. Specific IP addresses with infected computers can be tracked to the organizations or ISPs that own them, and the ISPs can then pass that information on to individual customers. But not all ISPs are “mature and capable” enough to do that, Monnier says. (You can check here to see whether your computer is looking up IP addresses correctly.)

The list of affected computers includes machines in 12 percent of Fortune 500 companies and about 4 percent of “major” U.S. federal agencies, according to the security company Internet Identity, which is also part of the DNSChanger working group. Monnier warns that ISPs are going to get inundated with complaints Monday: “Call center phones could ring off the hook.”

Keep Reading

Most Popular

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.