DNSChanger shutdown could knock thousands offline

The FBI's shutdown of Rove Digital servers, which host clean replacements for fraudulent DNS records, could leave hundreds of thousands of people unable to connect to the internet

Thousands of people could be knocked offline on Monday, when the FBI plans to turn off a group of servers fielding queries from computers infected with the DNSChanger malware.

The Rove Digital group of cybercriminals, arrested in November, set up servers hosting fraudulent DNS records that delivered fake, malicious URLs to people accessing the internet using computers infected by the DNSChanger clickjacker.

DNS malware guide
The FBI has published guidance on DNS malware. Image credit: FBI

In March, the Internet Systems Consortium replaced the fraudulent servers with clean DNS records under a court order obtained by the FBI. These servers were kept online for months to give people time to deal with the virus.

The DNSChanger malware forced infected computers and routers to obtain URLs from the fraudulent DNS records. Shutting down the replacement DNS records means infected computers cannot obtain web addresses.

As of Monday, people who have not taken action to remove the malware from their computers will not be able to access the internet, as their computer will have no DNS records to refer to.

The FBI estimates that a four million-strong botnet was created using DNSChanger, which is downloaded to a victim's computer when they click on a malicious video or ad. The clickjacking software has been circulating on the internet for years.

Even as late as May, more than half a million computers or routers were still infected with the malware, moving Google to start warning infected users who accessed its homepage .

Google's push appears to have helped. However, as of 11 June, there were 19,589 infected IP addresses in the UK — one infection for every 3,177 people, putting the UK in fourth place worldwide, according to data from the DNS Changer Working Group. The US ranked at number one with 69,517 infections, or one for every 4,482 people.

DNSChanger victims will need to call in a computer security expert to expunge the virus from their router and/or computer, and then get new DNS records assigned, according to the FBI (PDF).

However, there is a glimmer of light for victims. On Thursday, security provider McAfee said it is releasing a free tool on its website to provide a workaround for infected computers. The move is expected to be followed by number of companies, many of which already provide free tools to check if your computer is affected.