We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

  • Trouble spots: This map is a visualization of DNSChanger infection density by location, as of June 12.
  • No Web for Hundreds of Thousands on Monday

    Starting that day, computers still infected with the notorious DNSChanger malware will be unable to connect to websites.

    Hundreds of thousands of people are likely to be confused on Monday when they fire up their home or office computers and can’t connect to the Internet. Their network connections will be fine, but attempts to visit their favorite domains will be fruitless.

    These people will be the unfortunate leftover victims of the DNSChanger botnet. Between 2007 and October of last year, the DNSChanger virus infected four million computers in 100 countries, according to the FBI. Often without the victims’ knowledge, the computers were turned into drones that were instructed by rogue servers to visit websites and click on ads in a scheme to generate fraudulent advertising revenue.

    Last November, the FBI apprehended a group of Estonian nationals allegedly behind the plot and seized the botnet’s so-called command and control servers, which were located in New York and Chicago. But whereas past botnets have been disabled by eliminating such servers, the authorities couldn’t do that with DNSChanger: because of the particular way the DNSChanger virus did its damage, “that would have been the same as if the Internet was suddenly broken for millions of people,” says Dave Monnier, a fellow at Team Cymru, an independent group of computer security researchers.

    Once inside a system, the malware modifies the settings that tell the computer which domain name system (DNS) server to contact. DNS servers, many of which are owned and operated by Internet service providers, connect users who type in or click on domain names with the specific IP addresses corresponding to the destination sites. Computers infected with DNSChanger instead contacted DNS servers controlled by criminals, who had programmed them to send users to phony domains or replace legitimate display ads with shady ones.

    In one example, when users of infected computers typed in the domain name for iTunes, they were sent to a website for a business unaffiliated with Apple that claimed to sell Apple software. In another, users visiting Amazon.com were surreptitiously served an ad for an e-mail marketing service instead of the Windows Internet Explorer ad they should have seen. Through these and other similar schemes, the conspirators racked up page views and click-throughs to the tune of $14 million in advertising revenue, U.S. authorities allege.

    Rather than eliminating the DNS servers to which millions of computers were still connecting, federal agents replaced them with legitimate ones. That is no cure for the virus, but the replacements have sustained connectivity for infected machines and provided time for an industry consortium called the DNSChanger Working Group (which includes Monnier’s Team Cymru) to identify IP addresses from infected computers and attempt to notify their users. In March, a federal judge extended the notification period until July 9. (As of late June, more than 200,000 IP addresses were still affected, but since many devices can use the same IP address, the number of infected machines is probably much higher.)

    Removing the malware requires one of a specific set of software tools, which could be a headache to procure without an Internet connection come Monday. And yet it’s far from assured that all people whose computers are affected will find out before then. Specific IP addresses with infected computers can be tracked to the organizations or ISPs that own them, and the ISPs can then pass that information on to individual customers. But not all ISPs are “mature and capable” enough to do that, Monnier says. (You can check here to see whether your computer is looking up IP addresses correctly.)

    The list of affected computers includes machines in 12 percent of Fortune 500 companies and about 4 percent of “major” U.S. federal agencies, according to the security company Internet Identity, which is also part of the DNSChanger working group. Monnier warns that ISPs are going to get inundated with complaints Monday: “Call center phones could ring off the hook.”

    AI is here. Will you lead or follow?
    Join us at EmTech Digital 2019.

    Register now
    Want more award-winning journalism? Subscribe to Insider Plus.
    • Insider Plus {! insider.prices.plus !}*

      {! insider.display.menuOptionsLabel !}

      Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

      See details+

      Print + Digital Magazine (6 bi-monthly issues)

      Unlimited online access including all articles, multimedia, and more

      The Download newsletter with top tech stories delivered daily to your inbox

      Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

      10% Discount to MIT Technology Review events and MIT Press

      Ad-free website experience

    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.