The conclusion of a massive FBI cyber bust, scheduled for Monday, July 9, could have negative consequences for innocent parties. But it’s likely not the “doomsday” scenario alluded to by some media outlets.
“We would like to point out that despite the big noise around this topic, there is no need to panic,” explained Marco Preuss, a cyber security expert at Russian firm Kaspersky Labs, in a blog post published Friday.
The FBI will on Monday be turning off several large domain name system (DNS) servers — the systems that direct Internet traffic, allowing users to connect to websites — which could lead to thousands of Internet users across the U.S. and the globe losing their connections, if those users were unlucky enough to be infected with a piece of malicious code that was at the center of the FBI’s sting.
The FBI case, known as “Operation Ghost Click,” was revealed by the FBI in November 2011, when the agency charged six Estonian men and a Russian collaborator with computer fraud, for using a type of malware called a DNS Changer, to hijack about 4 million Windows and Apple Mac computers around the globe.
When users of infected computers attempted to visit certain popular websites — Google, Amazon, Apple, Netflix, ESPN, The Wall Street Journal and the IRS, among them — the DNS Changer malware stealthily re-routed the users through rogue DNS servers to other websites or advertisements. The suspects had allegedly made agreements with these websites and advertisers to provide them with traffic in exchange for money.
The FBI said that the cyber fraudsters used “dozens” of rogue DNS servers across the United States, including some in New York and Chicago, but U.S. law enforcement agencies located and shut them off.
Because infected computers — including some 500,000 in the U.S. alone at the time — were still trying to connect to those rogue servers, simply taking them offline would have caused all of those computers to lose Internet access.
So the FBI put in place a “remediation” program, getting a nonprofit company, the Internet Systems Consortium, to install temporary DNS servers that could continue to interact with and direct the infected machines for a court-ordained period of 120 days. After that time, the substitute servers are legally ordered to be switched off. That deadline happens to be Monday, July 9, 2012.
Though the FBI put out guidance in November explaining how users could identify and remove the DNS malware from their computers, an estimated 64,000 users in the U.S. and some 277,000 total worldwide still have it on their machines, according to the Associated Press, and so they are at risk of losing Web access come Monday.
But Google and Facebook have been issuing warnings in recent days, presenting a message specifically to users with potentially infected machines, directing them to the government-created website to check for the malware, the DNS Changer Working Group (DCWG), a consortium of cyber experts from academic institutions and private cybersecurity firms.
U.S. users can click on the following link, www.dns-ok.us, to get an instant, private analysis of their computers to see if they have the malware or not (green means all clear, no malware). Affected users can follow a variety of steps listed on the website to remove the malware.
In addition, as Kaspersky’s analysis found: “The good news is that the infections were blocked and the number of infection attempts is going down.”
Kaspersky published the following map of new infections detected by its security software during the week of July 2:
That said, Kaspersky believes that fixes offered by the DNS Changer Working Group aren’t “100 percent” effective, so it advises that users worried about losing Internet access come Monday manually change their computers’ DNS settings to “free DNS-Servers from Google: 22.214.171.124 and 126.96.36.199. OpenDNS also offers two: 188.8.131.52 and 184.108.40.206, which we also recommend for additional security features.” Find out how to manually change your DNS here in the case of Windows and here for Mac.