More than 60,000 computers in the United States are expected to lose internet access beginning Monday unless they are able to remove a piece of malware in time, according to the FBI.
It's crunch time for users that control machines infected by the DNSChanger trojan, which is capable of modifying DNS settings to send users to sites of the attacker's choosing. The trojan also can disable anti-virus and other security software.
While the number of poisoned PCs remains relatively high, Gunter Ollmann, vice president of research at security firm Damballa, told SCMagazine.com on Friday that most of those endpoints likely aren't actively used to surf the web and are instead employed by businesses to run "automated activities." There's also a chance some of the infections are on modems and routers, but not computers.
Those behind the trojan, who have since been arrested, had used it to redirect unsuspecting users, via web searches, to sites serving hacker-controlled advertisements, a technique known as click hijacking, or clickjacking.
But last year, the FBI charged six Estonian citizens with masterminding the $14 million fraud campaign. As part of the raid, federal agents seized the command-and-control servers that were used to manage the malware. Under a federal court order, the rogue DNS servers were replaced with legitimate servers that were initially meant to operate until March 8, but a judge in March granted a four-month extension for users to purge the trojan from their systems.
A majority of the initial compromises have been remediated, but 64,000 computers in the United States and a couple of hundred thousand elsewhere in the world are still relying on the temporary servers to access the web.
Users are advised to visit the DNS Changer Working Group website to learn if they are infected and how to rid their computers of the threat. But security experts said this isn't a certain fix.
"Unfortunately, we previously mentioned that automatic websites set up for this purpose do not work 100 percent well. So, the manual solution of checking the DNS server IPs is better," Marco Preuss, a Kaspersky Lab expert, wrote Friday in a blog post. "If you are infected, you can change your DNS entries to the free DNS-Servers from Google: 8.8.8.8 and 8.8.4.4. OpenDNS also offers two: 208.67.222.222 and 208.67.220.220, which we also recommend for additional security features"
Meanwhile, most ISPs reportedly are standing by, ready to assist their customers if they are unable to reach the web.
Initially several million machines were impacted globally, so the clean-up as been significant.
But the large number still remaining, especially considering the effort that has gone into ridding machines of the trojan, which has included help from Google and some governments, is concerning, Ollmann said.
"I don't think it bodes well for the thousands of other threats and botnets out there that don't receive this level of attention," he said.
