Click photo to enlarge
Thousands of computer owners may find it impossible to reach the Internet on Monday despite an unprecedented campaign by a coalition of tech security groups and the online giants Google (GOOG) and Facebook, which have sought to warn people about the malicious software known as DNSChanger.
It’s unclear how many computers are still infected with the software. But experts believe the extraordinary outreach by law enforcement, computer security experts and big Internet companies has whittled the number down from more than 500,000 to less than 70,000 in the United States since the FBI busted the East European crooks behind the malware scheme last fall.
Because some users still don’t know their computers have the malware, experts are urging people to run a diagnostic test offered by several legitimate security sites before Monday.
That’s when authorities plan to shut down a temporary server network, operated under an unusual arrangement between federal authorities and a nonprofit group, that allowed infected machines to continue visiting the Internet after the FBI broke up a crooked advertising operation that was hijacking those computers and sending them to bogus or unauthorized websites.
Experts say the outreach campaign
has already produced valuable experience and data that may help in the continuing battle against new malware schemes.
Google and Facebook each used different technical methods of determining which users might have the DNSChanger infection, according to security consultant Barry Greene, a member of the public-private working group that’s been tackling the problem.
While Google has alerted users to a potential malware threat once before, Greene said he wasn’t aware that Facebook had ever done so. Google began showing notices to affected users in May; Facebook followed suit last month.
Although neither company was apparently affected directly by the malware, both depend on advertising for revenue and have an interest in combating crooked ad schemes.
In this case, the malware worked by interrupting the Internet’s Domain Name System, which converts user-friendly website names (such as www.fbi.gov) into the numeric addresses that computers need to connect with those sites. When victims unwittingly downloaded the DNSChanger program, authorities said, the malware began sending their computers to rogue servers controlled by a ring of cyberthieves.
Those servers would then send the victims to other rogue sites: For example, a user who tried to visit legitimate sites run by Apple (AAPL) or Netflix (NFLX) would be taken to sites that sold unauthorized products. Other times, users were sent to legitimate sites but were shown ads on those sites from businesses that had not paid to be legitimate sponsors.
After the FBI broke up the ring, authorities realized the malware on victims’ computers would continue sending them to the rogue servers — or it would send them nowhere, if the rogue servers were shut down. So the government hired the nonprofit Internet Systems Consortium to operate replacement servers on a temporary contract, to give victims time to disinfect their computers.
An initial contract for three months was extended this spring, but officials said they never intended the replacement servers to be a permanent solution.
Authorities initially estimated that DNSChanger had hijacked 4 million computers around the world, after users visited infected websites or downloaded a program they thought would let them view online videos. That included 500,000 computers in this country, belonging to individuals, corporations and even government agencies such as NASA.
Those numbers have been trimmed in recent months. Using data from the rogue servers, the Internet Systems Consortium notified service providers if their customers appeared to be using infected equipment. A Comcast spokesman said his company used both electronic messages and old-fashioned written letters to alert affected customers.
Google, meanwhile, made arrangements with the consortium so any infected computer that tried to do a Google search would be routed to a special Google address, where they would see a warning about the malware.
Experts said many of the remaining infected machines may no longer be in use. But at least some users may find themselves unable to access websites, email or other Internet services Monday, said Dave Marcus at McAfee, the Intel (INTC)-owned computer security provider.
Contact Brandon Bailey at 408-920-5022; follow him at Twitter.com/BrandonBailey.