Helping people with computers... one answer at a time.

When a major malware infection was discovered last year, a temporary solution was created on the internet. On July 9th, 2012, it's scheduled to go away.

I have read on the internet that hundreds of thousands of computers might lose internet access after July 09, 2012. Is this true? They have estimated that more than 20,000 of such computers are right here in my country. If this is true, how serious is the threat?

Will you lose internet access? I have no idea.

But many people whose computers have been compromised by malware just might. If you happen to be one of those people, then yes - there's a good chance you could wake up on July 9 to no internet.

I'll explain what happened, what's happening in July, what you need to do to find out if you're affected, and what to do if you are.

What happened

In a word, malware.

Last year, malware appeared that infected over half a million computers worldwide. To understand exactly what this malware did, we need to review briefly one aspect of how the internet works.

DNS, or the Domain Name System, is the system used to translate domain names - like "ask-leo.com" - into IP addresses - like 67.225.235.59 (ask-leo.com's IP address as I write this). It's the IP address that locates the actual physical server that houses the website.

"... the internet will stop working only if your machine is infected."

To perform that mapping, computers are programmed with the IP addresses of DNS servers - servers which basically answer questions like, "What's the IP address for ask-leo.com?" The IP addresses of DNS servers are automatically provided by your ISP when you connect to the internet, by your router, or you can configure the DNS server settings in your PC manually.

When this so-called "DNS Changer" malware infected a computer, it altered the DNS server that a computer would use. Rather than a legitimate DNS server, PCs were silently reconfigured to use a bogus DNS server.

A DNS server that would sometimes lie.

For example, rather than answering the question, "What's the IP address for google.com?" with the correct answer, the rogue DNS server would return a different IP address: the IP address of a malicious server that was configured to look like google.com, but in fact, it's not the real server at all.

And as long as the malicious server looked enough like Google, the computer user wouldn't know until it was too late that something was wrong. There'd be no error message.

The bogus site (which could be any site the hackers chose, not just google.com) could itself install more malware, display additional advertising, or do just about anything that a malicious website could do. All without warning.

What's happening in July

In November, the hackers were caught.

But hundreds of thousands of infected machines were left with their DNS settings pointing to their bogus DNS servers.

So, rather than removing the DNS servers from the internet, the agencies that caught the hackers instead changed them to be legitimate ones, at least temporarily.

Apparently at a cost to the government of about $10,000/month.

While this meant that people with infected machines would now be able to surf the net more safely, it didn't change the fact that their computers were, fundamentally, still compromised.

On July 9th, those DNS servers are going away.

On that day, anyone whose computer is still infected and attempting to use those servers to get DNS answers won't get an answer at all.

And without DNS, you can't answer the "What's the IP address of _____?" for any internet domain.

Meaning that for those people, the internet will simply stop working.

Let me be clear: the internet will stop working only if your machine is infected.

Are you affected?

Visit the DNS Changer Working Group and click the green button labeled "Detect". (Note: As I write this, the site appears to be having intermittent problems, probably due to load as a result of the recent flurry of news reports. Keep trying or try again a little later.)

This will examine whether or not your computer is affected by the DNS Changer malware.

If you're not, you're done. July 9 will be a non-event for you.

What to do if you're affected

If dcwg indicates that you're affected, the page should also include information on what to do.

The good news is that there are many free tools that are listed as resolving the issue - free tools from most of the major anti-malware utility vendors. Specifically, Windows Defender Offline (formerly Microsoft Standalone System Sweeper) is listed, and it would probably be the tool I'd reach for first.

After cleaning DNS Changer off of your machine, I would also seriously review the anti-malware tools that you're currently using.

Put simply, it should have been caught by now.

Article C5229 - April 21, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
David
April 21, 2012 6:13 PM

Might be a good test to run if the site was an actual site, and not a broken link. You can get to the site, but once you click anything, the link is broke. It may be due to many people attempting to use, but just not too sure at all.

I actually mentioned that in the article you just commented on. Be patient. Try again later.
Leo
21-Apr-2012
Info Dave
April 22, 2012 4:55 PM

Why aren't you pointing people to the http://www.dcwg.org/ site?

The download appears unnecessary to me. Please explain.

I don't know what download you're talking about. The article does link to dcwg.org.
Leo
22-Apr-2012

Info Dave
April 22, 2012 4:57 PM

Sorry, it turned out to be a Google ad that probably led to who knows what.

Kevin
April 24, 2012 9:31 AM

Glad that I'm not the only one that has to say sorry !!
But my laptop did come up very green !!!

Steven
April 24, 2012 12:05 PM

If it's that simple it should be in the Malicious Software Removal Tool Microsoft send each month in updates etc, knowing fully that next to nobody reading your site would skip those?

We could hope.

Paul Underdown
April 24, 2012 12:23 PM

Great article Leo. THANKS! Lots of questions about this recently from customers. Any idea on the most
affected countries by this?

I don't know, but I believe some of the resources linked to in the article include that if you drill down far enough.
Leo
25-Apr-2012
Dude Ohio
April 24, 2012 1:09 PM

so how much is it going to cost "me" to keep from losing internet access?? I believe its all about the money............................................

Shouldn't cost you a thing. The test and all of the fix it utilities referenced by the pages are all free.
Leo
25-Apr-2012

Andrew Keir
April 25, 2012 6:41 AM

thanks Leo - I wasn't aware of this and have rapidly checked the family computers. Calmness reigns...
Andrew

Kim
April 25, 2012 2:57 PM

Will this affect Macintosh computers?

I don't believe so.
Leo
26-Apr-2012

Susan James
May 15, 2012 5:54 PM

thx! I'm "green" and that was fast!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.