Helping people with computers... one answer at a time.
When a major malware infection was discovered last year, a temporary solution was created on the internet. On July 9th, 2012, it's scheduled to go away.
I have read on the internet that hundreds of thousands of computers might lose internet access after July 09, 2012. Is this true? They have estimated that more than 20,000 of such computers are right here in my country. If this is true, how serious is the threat?
Will you lose internet access? I have no idea.
But many people whose computers have been compromised by malware just might. If you happen to be one of those people, then yes - there's a good chance you could wake up on July 9 to no internet.
I'll explain what happened, what's happening in July, what you need to do to find out if you're affected, and what to do if you are.
In a word, malware.
Last year, malware appeared that infected over half a million computers worldwide. To understand exactly what this malware did, we need to review briefly one aspect of how the internet works.
DNS, or the Domain Name System, is the system used to translate domain names - like "ask-leo.com" - into IP addresses - like 22.214.171.124 (ask-leo.com's IP address as I write this). It's the IP address that locates the actual physical server that houses the website.
To perform that mapping, computers are programmed with the IP addresses of DNS servers - servers which basically answer questions like, "What's the IP address for ask-leo.com?" The IP addresses of DNS servers are automatically provided by your ISP when you connect to the internet, by your router, or you can configure the DNS server settings in your PC manually.
When this so-called "DNS Changer" malware infected a computer, it altered the DNS server that a computer would use. Rather than a legitimate DNS server, PCs were silently reconfigured to use a bogus DNS server.
A DNS server that would sometimes lie.
For example, rather than answering the question, "What's the IP address for google.com?" with the correct answer, the rogue DNS server would return a different IP address: the IP address of a malicious server that was configured to look like google.com, but in fact, it's not the real server at all.
And as long as the malicious server looked enough like Google, the computer user wouldn't know until it was too late that something was wrong. There'd be no error message.
The bogus site (which could be any site the hackers chose, not just google.com) could itself install more malware, display additional advertising, or do just about anything that a malicious website could do. All without warning.
In November, the hackers were caught.
But hundreds of thousands of infected machines were left with their DNS settings pointing to their bogus DNS servers.
So, rather than removing the DNS servers from the internet, the agencies that caught the hackers instead changed them to be legitimate ones, at least temporarily.
Apparently at a cost to the government of about $10,000/month.
While this meant that people with infected machines would now be able to surf the net more safely, it didn't change the fact that their computers were, fundamentally, still compromised.
On July 9th, those DNS servers are going away.
On that day, anyone whose computer is still infected and attempting to use those servers to get DNS answers won't get an answer at all.
And without DNS, you can't answer the "What's the IP address of _____?" for any internet domain.
Meaning that for those people, the internet will simply stop working.
Let me be clear: the internet will stop working only if your machine is infected.
Visit the DNS Changer Working Group and click the green button labeled "Detect". (Note: As I write this, the site appears to be having intermittent problems, probably due to load as a result of the recent flurry of news reports. Keep trying or try again a little later.)
This will examine whether or not your computer is affected by the DNS Changer malware.
If you're not, you're done. July 9 will be a non-event for you.
If dcwg indicates that you're affected, the page should also include information on what to do.
The good news is that there are many free tools that are listed as resolving the issue - free tools from most of the major anti-malware utility vendors. Specifically, Windows Defender Offline (formerly Microsoft Standalone System Sweeper) is listed, and it would probably be the tool I'd reach for first.
After cleaning DNS Changer off of your machine, I would also seriously review the anti-malware tools that you're currently using.
Put simply, it should have been caught by now.
Hundreds of thousands may lose Internet in July - SFGate / San Francisco Chronicle / AP, February 20, 2012.
Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business - FBI, November 9, 2011
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.