Hundreds of thousands of people are likely to be confused on Monday when they fire up their home or office computers and can’t connect to the Internet. Their network connections will be fine, but attempts to visit their favorite domains will be fruitless.
These people will be the unfortunate leftover victims of the DNSChanger botnet. Between 2007 and October of last year, the DNSChanger virus infected four million computers in 100 countries, according to the FBI. Often without the victims’ knowledge, the computers were turned into drones that were instructed by rogue servers to visit websites and click on ads in a scheme to generate fraudulent advertising revenue.
Last November, the FBI apprehended a group of Estonian nationals allegedly behind the plot and seized the botnet’s so-called command and control servers, which were located in New York and Chicago. But whereas past botnets have been disabled by eliminating such servers, the authorities couldn’t do that with DNSChanger: because of the particular way the DNSChanger virus did its damage, “that would have been the same as if the Internet was suddenly broken for millions of people,” says Dave Monnier, a fellow at Team Cymru, an independent group of computer security researchers.
Once inside a system, the malware modifies the settings that tell the computer which domain name system (DNS) server to contact. DNS servers, many of which are owned and operated by Internet service providers, connect users who type in or click on domain names with the specific IP addresses corresponding to the destination sites. Computers infected with DNSChanger instead contacted DNS servers controlled by criminals, who had programmed them to send users to phony domains or replace legitimate display ads with shady ones.
In one example, when users of infected computers typed in the domain name for iTunes, they were sent to a website for a business unaffiliated with Apple that claimed to sell Apple software. In another, users visiting Amazon.com were surreptitiously served an ad for an e-mail marketing service instead of the Windows Internet Explorer ad they should have seen. Through these and other similar schemes, the conspirators racked up page views and click-throughs to the tune of $14 million in advertising revenue, U.S. authorities allege.
Rather than eliminating the DNS servers to which millions of computers were still connecting, federal agents replaced them with legitimate ones. That is no cure for the virus, but the replacements have sustained connectivity for infected machines and provided time for an industry consortium called the DNSChanger Working Group (which includes Monnier’s Team Cymru) to identify IP addresses from infected computers and attempt to notify their users. In March, a federal judge extended the notification period until July 9. (As of late June, more than 200,000 IP addresses were still affected, but since many devices can use the same IP address, the number of infected machines is probably much higher.)
Removing the malware requires one of a specific set of software tools, which could be a headache to procure without an Internet connection come Monday. And yet it’s far from assured that all people whose computers are affected will find out before then. Specific IP addresses with infected computers can be tracked to the organizations or ISPs that own them, and the ISPs can then pass that information on to individual customers. But not all ISPs are “mature and capable” enough to do that, Monnier says. (You can check here to see whether your computer is looking up IP addresses correctly.)
The list of affected computers includes machines in 12 percent of Fortune 500 companies and about 4 percent of “major” U.S. federal agencies, according to the security company Internet Identity, which is also part of the DNSChanger working group. Monnier warns that ISPs are going to get inundated with complaints Monday: “Call center phones could ring off the hook.”