On 9 July, possibly hundreds of thousands of people around the world may find that they will no longer be able to connect to the Internet. For on that day, the U.S. Federal Bureau of Investigation (FBI) plans to shut down a network of more than 100 rogue Domain Name System (DNS) servers that it seized last November during an operation against a group of primarily Estonian cyber criminals. The cyber criminals had set up what the U.S. Department of Justice (DOJ) calls a “sophisticated scheme” that allegedly infected over four million computers in 100 countries (a million in the United States alone) with malware that hijacked their users’ Internet searches and re-routed their computers to certain websites and advertisements.
Last week, the first of the alleged cyber criminals was extradited from Estonia to New York City to face charges in U. S. District Court Southern District of New York. The press release on the indictment states that from 2007 until October 2011, six Estonians and one Russian:
“… controlled and operated various companies that masqueraded as legitimate publisher networks in the Internet advertising industry. [They] then entered into agreements with ad brokers under which they were paid based on the number of times that Internet users clicked on the links for certain websites or advertisements, or based on the number of times that certain advertisements were displayed on certain websites. Thus, the more traffic that went to the advertisers’ websites and display ads, the more money the defendants earned under their agreements with the ad brokers. The defendants fraudulently increased the traffic to the websites and advertisements that would earn them money and made it appear to advertisers that the Internet traffic came from legitimate clicks and ad displays on the defendants’ [publisher network] when, in actuality, it had not. “
“To carry out the scheme, the defendants and their co-conspirators used what are known as ‘rogue’ Domain Name System (“DNS”) servers, and malware … that was designed to alter the DNS server settings on infected computers. Victims’ computers became infected with the [DNS Changer] malware (pdf) when they visited certain websites or downloaded certain software to view videos online. The malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators. The re-routing took two forms: ‘click hijacking’ and ‘advertising replacement fraud.’ The malware also prevented the infected computers from receiving anti-virus software updates or operating system updates that otherwise might have detected the malware and stopped it. In addition, the infected computers were also left vulnerable to infections by other viruses.”
In November, the DOJ and the FBI (along with a number of IT security experts and companies) in cooperation with the Estonian government were granted a court order to shut down the operation, arrest the defendants, and seize the rogue DNS servers hosted at U.S. data centers. The original plan was to shut the servers down very quickly, but doing so might mean disconnecting some four million people from the Internet.
The Federal authorities decided to keep the servers running until March 2012 in order to allow victims time to be notified, after which the FBI would then shut down the servers for good. However, a federal court extended the date until 9 July because the FBI and others were worried that while a large number of the infected computers had been disinfected, there were still hundreds of thousands of computers both personal, in corporations and at government agencies that were still infested with the DNS Changer malware.
So, in conjunction with the extradition proceedings, the FBI began a new media campaign to warn potential victims of the DNS Changer malware that on 9 July the servers would be shut down permanently. If a person’s PC is still infected with the malware, they will not be able to connect to the Internet unless the malware is removed.
[Update - I should have noted that a person can still connect to the Internet, but they will have to change their DNS configuration manually.]
There is a DNS Changer Working Group (DCWG) site that has been set up in cooperation with the FBI where you can learn more about the malware as well as check to see whether your computer is infected and what you can do about it. There are also several other sites such as http://dns-ok.us/ that can also tell you immediately if you are infected. The former site was set up by Andrew Fried and Paul Vixie, who helped with the FBI’s investigation. You can read Vixie’s account of his involvement in this story at CircleID.
I checked my family’s PCs even though I am fairly paranoid about IT security and they came up as being clean. It only takes a few seconds, so there is no excuse for not doing so. Peace of mind is a nice thing to have and it is only a click away.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.