DNSChanger Malware: What's Next?
The Federal Bureau of Investigation estimates around 64,000 computers in the U.S. infected with the DNSChanger Trojan may have Internet connectivity problems Monday. This particularly nasty piece of malware first surfaced in 2007 and is able to reroute a PC's Web traffic without knowledge of the user. DNSChanger achieved this by manipulating the Domain Name System (DNS) routing service for infected computers.
The FBI in late 2011 along with other law enforcement agencies brought down the Estonia-based criminal ring responsible for DNSChanger. Ever since, the federal agency has been helping to facilitate normal Web traffic behavior for infected PCs.
That ends Monday, however, with the Internet Systems Consortium set to shut down the Domain Name System servers supporting machines infected with DNSChanger. As a result, affected machines will be cut off from their DNS provider. Those PCs will look like they are having problems getting onto the Web even with a normal Internet connection.
AT&T, Comcast, and Verizon Respond
So what do those approximately 64,000 U.S. computers still infected with DNSChanger do now? PCWorld spoke with representatives from AT&T, Comcast, and Verizon, three of the largest Internet Service Provider's in the U.S., and it looks like some people may not have to do anything at all right away.
AT&T told PCWorld it plans to continue handling DNS rerouting for infected computers until the end of the year. “That gives adequate time for these customers to remove it from their computers and avoid service interruption,” AT&T spokesperson Mark Siegel told PCWorld.
Verizon said any of its infected broadband customers would be covered with DNS services until the end of July. Company spokesperson John Bonomo said Verizon would continue to contact its infected customers to help them remove DNSChanger from their computers.
Comcast's Xfinity broadband users won't have the luxury of DNS redirection if they're infected. Instead, the company plans to work with all affected users to help restore Internet connectivity and remove DNSChanger from their systems, Comcast spokesperson Charlie Douglas told PCWorld.
All three companies say the number of customers currently affected by DNSChanger support is very small.
What Is DNS?
DNS servers are basically directories for every Web site and Internet connection in the world. When you enter a URL such as CNN.com into your browser, a DNS server directs your PC to CNN's Internet Protocol address, 126.96.36.199. Those machine readable numbers are what computers use to navigate the Internet. If you entered the IP above into your browser's address bar you would connect to CNN.com. That's a great trick, but obviously those large numbers are far less memorable for most people than a regular “dot com” address, thus the need for DNS rerouting.
As its name suggests, DNSChanger was able to change the DNS settings on a computer and put those PCs and how they navigate the Web under the control of the criminal gang. The FBI says the Estonia-based group used DNSChanger to replace legitimate Web advertising with their own, reaping at least $14 million in ill-gotten gains in the process.