Tens of thousands of U.S. internet users could be left in the digital dark on Monday when the FBI pulls the plug on domains related to the DNSChanger malware.
Computers belonging to an estimated 64,000 users in the United States, and an additional 200,000 users outside the United States, are still infected with the malware, despite repeated warnings in the news, e-mail messages sent by ISPs and alerts posted by Google and Facebook.
The DNSChanger malware, which infected more than half a million machines worldwide at the height of its activity, redirected a victim’s web browser to sites designated by the attackers, allowing them to earn more than $14 million in affiliate and referral fees.
In addition to redirecting the browsers of infected users, the malware also prevents infected machines from downloading operating system and antivirus security updates that could detect the malware and stop it from operating. When an infected user’s machine tries to access a software update page, a pop-up message says the site is currently unavailable.
Last November, federal authorities charged seven Eastern European men with running the clickjacking operation. The FBI also seized control of about 100 of the attackers’ command-and-control servers used in the operation.
But before shuttering the domains, agents realized that infected machines would not be able to browse the internet, since their web requests would go to dead addresses that once hosted the seized servers. So the FBI obtained a court order allowing the agency to contract with the Internet Systems Consortium, a private firm, to install two servers to handle requests from infected machines, so that browsers would be re-directed to the proper sites until users had a chance to delete the malware from their machines. The ISC was also allowed to collect IP addresses that contacted its replacement servers in order to allow authorities to notify the owners of the machines or their ISPs that their machines were infected.
But the FBI intends to pull the plug on ICS’s replacement servers on July 9, meaning that anyone whose machine is still infected with the malware will have trouble reaching websites they want to visit.
About 58 of the Fortune 500 companies and two government agencies are among those that own at least one computer or router that is still infected with DNS Changer, according to Internet Identity.
The DNSChanger Working group has set up a website to allow users to determine if their machines are infected. Anyone who visits the site and sees a green background on the graphic displayed at the site is not infected with the malware. Those that are infected will see a red background. The group has published a FAQ for those who find that their machine may be infected.
The clickjacking scheme began in 2007 and involved six Estonians and one Russian who allegedly used multiple front companies to operate the scam, which included a bogus internet advertising agency, according to court documents.
The bogus agency contracted with online advertisers who would pay a small commission to the suspects each time users clicked on their ads, or landed on their website.
To optimize the payback opportunities, the suspects then infected computers with the DNSChanger malware to ensure that users would visit the sites of their online advertising partners. The malware altered the DNS server settings on infected machines to direct victims’ browsers to sites that paid a fee to the defendants.
For example, if an infected user searching for Apple’s iTunes store clicked on a link to the Apple store, their browser would be directed instead to www.idownload-store-music.com, a site purporting to sell Apple software. Users trying to access the government’s Internal Revenue Service site were redirected to a website for H & R Block, a top tax preparation business in the United States.
Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorow, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov of Estonia and Andrey Taame of Russia have been charged with 27 counts of wire fraud and other computer-related crimes in connection with the scheme.