Outline Warnings circulating via social media and email claim that many thousands of people may lose their Internet connections in July 2012 unless they check for and remove a malware infection from their computers.
The claims in the warnings are true. Due to an aggressive campaign by cybercriminals, millions of computers around the world were infected with DNSChanger malware over the course of several years. The criminals responsible were arrested by the FBI in 2011. The FBI arranged for temporary "clean" servers to be set up so that infected users could connect safely to the Internet and to give victims more time to remove the malware. However, these temporary servers are set to be shut down on July 9, 2012 which means computers still infected with the malware may lose their Internet connections. (See Detailed Analysis below to find out how to check if your computer is infected).
According to a number of warning messages currently circulating via social media and email, hundreds of thousands of users around the world may lose their Internet connections in July 2012 unless they take steps to check if their computers are infected with the DNSChanger malware and, if so, remove it before a July 9 deadline.
The claims in the warnings are valid and recipients should take heed. In 2011, the FBI arrested and charged a group of cybercriminals that had been responsible for infecting millions of computers around the world with a type of malware dubbed DNSChanger. In an effort to protect infected users from further harm - and to give victims more time to clean their computers - the FBI arranged for a private sector, non-government entity to set up clean DNS servers for use by infected users. However, this temporary protection measure will come to an end on 9th July 2012 at which time the clean servers will be switched off. Users still infected when the servers stop operating may therefore lose Internet connectivity.
In an article about the case - known as Operation Ghost Click - the FBI notes:
DNS—Domain Name System—is a critical Internet service that converts user-friendly domain names, such as www.fbi.gov, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.
DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity. When users of infected computers clicked on the link for the official website of iTunes, for example, they were instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software. Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue.
The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it. The FBI is also undertaking an effort to identify and notify victims who have been impacted by the DNSChanger malware. One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS services. To address this, the FBI has worked with private sector technical experts to develop a plan for a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims. The FBI has also provided information to ISPs that can be used to redirect their users from the rogue DNS servers to the ISPs’ own legitimate servers. The FBI will support the operation of the clean DNS servers for four months, allowing time for users, businesses, and other entities to identify and fix infected computers. At no time will the FBI have access to any data concerning the Internet activity of the victims.
And in a March 12, 2012 update, the FBI website reiterated:
To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.
Thus the warnings are legitimate and should be taken seriously.
To find out if your computer is infected, visit the DNS Changer Working Group (DCWG) website via the link below and follow the instructions provided: