Will your Internet be cut off by DNS Changer Monday? How to find out.
Computers still infected by the DNS Changer malware using an Eastern European advertising scam won't be able to access the Internet Monday, when the FBI is expected to shut down the servers that ran the operation. But there's a fix.
(Page 2 of 2)
DNS Changer, discovered in 2005, was part of a new trend in the malware world designed to subvert one of most basic features of the internet – the addressing system computers use to find websites on the Internet. The rogue servers set up by criminals and later taken over by the FBI in "Operation Ghost Click" were programmed to mimic the Internet phonebook called the Domain Name System (DNS) and transmit their own fraudulent web addresses. In doing so, the criminals essentially enslaved victims' computers, making them dependent on their servers to access the Internet.Skip to next paragraph
Subscribe Today to the Monitor
The intent of the operation was to twist automated Internet advertising to the criminals' advantage. These advertising systems pay website owners fractions of a cent for every page view and a few cents if someone actually clicks on the advertiser's link. If a sale is made from that click-through, the referring website can actually get a commission.
By sending infected users to fraudulent websites that they controlled, the criminals generated huge numbers of page views and, in turn, large advertising revenues. The money adds up fast when you've got millions of computers under your control pursuing fraudulent search results, says Brett Stone-Gross, senior security researcher at Dell SecureWorks.
"When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software," the FBI reported.
Likewise, someone with an infected computer would click on a link they thought was for the official Internal Revenue Service site, but their browser would instead go to the website for H&R Block, a major tax preparation business – although that company and others were unaware of the scam.
Last November, Estonian authorities scooped up a half dozen suspects believed to have defrauded search-engine companies and online advertisers of at least $14 million.
"The defendants earned millions of dollars under their advertising agreements, not by legitimately displaying advertisements through their Publisher Networks, but rather by using the Malware to fraudulently drive Internet traffic to the websites and ads that would earn them more money," the FBI said in a statement last November.
While the DNS Changer threat seems likely to come to a close Monday, the threat from faked website addressing hasn't gone away and, if anything, is likely to grow in the future. It's already being used in cyberespionage to steal proprietary information, says Mr. Rasmussen of Identity Internet.
"Right now this sophisticated type of attack is still fairly rare," Rasmussen says. "What it's done is to exploit something very basic that changes the way users interact with the Internet. It's particularly dangerous because, at least in theory, the person controlling access to the Internet would be able to see communications. If you route all the traffic through your servers, anything going through these paths is vulnerable."