It is currently expected that hundreds of thousands of infected PCs will lose internet connectivity come Monday July 9 at 12:01 am. The loss of connectivity is related to a widespread virus and massive botnet, known as the DNSChanger virus. At one point, a reported 4 million computers around the world were estimated to have been infected by this virus, which redirected internet connectivity for the affected unbeknownst to the user. It is currently reported that some 275,000 machines are still infected.
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
The virus was part of an international scheme to set up a widespread online advertising network through the infected machines, and controlled by DNS systems under the hacker group’s control.
“The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.”
When it was discovered, the FBI launched “Operation Ghost Click”, which enters its final phase Monday. The operation has been running temporary DNS servers to maintain connection for the affected systems, while efforts to clean and remove the virus could take hold and lessen the impact of taking the systems offline. The planned removal of those temporary systems is scheduled to take place in days.
The following video shows the Geolocation of computers infected with DNSChanger showing the number infections per hour for the time period from January 1, 2012 to March 31, 2012.
The collaborative efforts of ISP’s, security companies, and even online sites such as Google and Facebook, have provided warning and removal instructions for infected computers since the response operation launched. An informational website http://www.dcwg.org/ has been set up and offers detection, fix, and protection guidelines for users to protect themselves.