CYBEREYE

Hundreds of thousands at risk as DNSChanger deadline looms

It has been said before, but apparently it needs still needs to be said: You have until July 9 to make sure your computer is not infected with DNSChanger or you risk losing your access to the Internet.

July 9 is the date that temporary clean DNS Servers being used by infected machines will go offline. If the malware continues to direct your Internet requests to these servers for resolution after that date — and recent figures by the DNSChanger Working Group and others show that hundreds of thousands still are — chances are you will find you can’t go anywhere.

There are workarounds for the problem of Internet access. Some Internet service providers are internally redirecting DNS queries away from the temporary servers, so they probably won’t see a blackout (as long as the redirection continues).


Related coverage:

Have you checked your PC for DNSChanger? The clock is ticking.

Why computers infected with DNSChanger could lose Internet access


But this does not solve an underlying problem. If you remain infected with the malware, it probably has disabled antivirus protection and automatic software updates on your computer, leaving it vulnerable to other attacks and exploits.

DNSChanger is malware that allowed criminals to hijack Web traffic by directing DNS requests to their own servers for resolution. Discovered in 2006, it eventually infected more than 4 million computers and routers before the FBI shut down 100 command and control servers in a U.S. data center in November. It obtained a court order allowing the temporary operation of clean DNS servers using the gang’s IP addresses by Internet Systems Consortium for 120 days. The deadline was then extended to July 9 to give more time to clean up the infections. No further extensions are expected.

The latest figures from the working group show that more than 300,000 unique IP addresses still were communicating with the temporary ISC servers on June 11. The overwhelming majority of those addresses, nearly 70,000, were in the United States. Italy came in a distant second with 26,494.

The security firm Internet Identity (IID) reported June 28 that it found that 12 percent of Fortune 500 companies remained infected, as well as two federal agencies (the company did not identify the agencies or companies). That is down slightly from February figures, but with little more than a week to go it is not good enough.

If you think you might be infected or don’t know, the Working Group's site is a good place to start. It offers a test to see if your traffic is being redirected to one of the temporary addresses, which is a sign of infection. It also offers advice on cleaning it up, which unfortunately is not necessarily simple.

“Initially, the only way researchers could ensure that a machine was fixed was to reformat the hard drive and reinstall the operating system from scratch,” according to the working group. “The malware affected the boot blocks on the hard disk of the computer, so even if people just reverted their operating system to a prior backup, the malware could reclaim the PC.”

But things have improved. “Later on, several anti-malware software companies came up with fixes that removed software correctly,” the group said.

If you are infected, you will be forced by July 9 to address the issue. You might as well take advantage of the next week to check out your system so you can do it on your own schedule rather than being forced into a crisis situation.

The working group offers one piece of advice that no doubt warms the heart of computer and software vendors: “If you were already thinking of upgrading to a new computer, now may be a good time to make the switch.”

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above