The Federal Bureau of Investigation may yank several crucial domain name servers (DNS) offline on March 8, blocking millions from using the Internet. The servers in the FBI’s crosshairs were installed in 2011 to deal with a nasty worm dubbed DNSChanger Trojan. DNSChanger can get an innocent end-user in trouble; it changes an infected system’s DNS settings to shunt Web traffic to unwanted and possibly even illegal sites.
DNSChanger oozed out of Estonia and may have fouled up as many as a half-million computers in the United States. The feds’ temporary fix to keep the worm from propagating was to replace infected servers with clean surrogates.
Coordinating with the Estonian authorities who arrested those believed responsible for the worm, the FBI set up what amounted to a Maginot Line of temporary servers that would to give businesses and private individuals affected by DNSChanger time to cleanse infected systems. However, this may not have been enough to save all the afflicted. Cyber security journalist Brian Krebs writes:
Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.
[Internet Identity president and CTO Rod] Rasmussen said there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”
According to Mr. Krebs, Internet Identity believes DNSChanger infected “half of all Fortune 500 firms, and 27 out of 55 major government entities.”
Large network operators unsure as to whether their system is infected can contact the DNS Changer Working Group for assistance here. Private users may be able to ferret out a localized infection by following steps outlined here, at DCWG.org.