DNSChanger shutdown could knock thousands offline

DNSChanger shutdown could knock thousands offline

Summary: The FBI's shutdown of Rove Digital servers, which host clean replacements for fraudulent DNS records, could leave hundreds of thousands of people unable to connect to the internet

TOPICS: Security

Thousands of people could be knocked offline on Monday, when the FBI plans to turn off a group of servers fielding queries from computers infected with the DNSChanger malware.

The Rove Digital group of cybercriminals, arrested in November, set up servers hosting fraudulent DNS records that delivered fake, malicious URLs to people accessing the internet using computers infected by the DNSChanger clickjacker.

DNS malware guide
The FBI has published guidance on DNS malware. Image credit: FBI
In March, the Internet Systems Consortium replaced the fraudulent servers with clean DNS records under a court order obtained by the FBI. These servers were kept online for months to give people time to deal with the virus.

The DNSChanger malware forced infected computers and routers to obtain URLs from the fraudulent DNS records. Shutting down the replacement DNS records means infected computers cannot obtain web addresses.

As of Monday, people who have not taken action to remove the malware from their computers will not be able to access the internet, as their computer will have no DNS records to refer to.

The FBI estimates that a four million-strong botnet was created using DNSChanger, which is downloaded to a victim's computer when they click on a malicious video or ad. The clickjacking software has been circulating on the internet for years.

Even as late as May, more than half a million computers or routers were still infected with the malware, moving Google to start warning infected users who accessed its homepage.

Google's push appears to have helped. However, as of 11 June, there were 19,589 infected IP addresses in the UK — one infection for every 3,177 people, putting the UK in fourth place worldwide, according to data from the DNS Changer Working Group. The US ranked at number one with 69,517 infections, or one for every 4,482 people.

DNSChanger victims will need to call in a computer security expert to expunge the virus from their router and/or computer, and then get new DNS records assigned, according to the FBI (PDF).

However, there is a glimmer of light for victims. On Thursday, security provider McAfee said it is releasing a free tool on its website to provide a workaround for infected computers. The move is expected to be followed by number of companies, many of which already provide free tools to check if your computer is affected.

Topic: Security

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You say that like it's a bad thing

    Sometimes it takes something drastic like being knocked off the internet to get some people to fix their computers.
    Michael Kelly
  • Not possible to know actual numbers of infected - shared IP addresses.

    Another case of Microsoft getting someone else to clean up their security messes, with people thinking it's the normal thing to do. Who takes on the financial liability for the hacked accounts?
  • Its funny how the title of the article acts like its a bad thing

    Malware is on all those machines, they should have expunged it a long time ago. Instead they have done nothing and now they will pay the price.
  • FBI shouldn't have put up temp DNS.

    The FBI should never have put up temporary servers, to clean up after the malware. Yes, there would have been many, many inconvenienced internet users. But to draw an analogy, If my car has a recall, is it the job of the feds to give me a loaner car ? No. If they had not put up the temporary servers. everybody would have had their systems fixed and cleaned LONG ago.
    Irwin Busk