Google is using its mass reach to notify users whose machines are believed compromised by the insidious DNSChanger trojan, an infection that could result in those computers being unable to connect to the web in six weeks.
Last month, the Department of Homeland Security estimated in a blog post that more than 84,000 PCs in the United States remained poisoned by the trojan, down from around half a million earlier this year. Another few hundred thousand computers are infected outside of the country. Some of the tainted endpoints are located at Fortune 500 companies and government agencies.
When activated, the malware is capable of modifying DNS settings to send users to sites of the attacker’s choosing. The trojan also can disable anti-virus and other security software.
But that should not be the immediate concern of infected users. That’s because last year the FBI charged six Estonian citizens with masterminding a $14 million fraud campaign involving the DNSChanger trojan.
As part of the raid, federal agents seized the command-and-control servers that were used to manage the malware. Under a federal court order, the rogue DNS servers were replaced with legitimate servers that were initially meant to operate until March 8, but a judge in March granted a four-month extension for users to purge the trojan from their systems.
Once deadline day — July 9 — comes and goes, computers that still have the trojan installed will no longer be able to connect to the internet. Now, Google is stepping in to help speed up remaining remediation efforts. Using its network traffic monitoring capabilities, the search giant is able to notify users if their computers are infected.
Damian Menscher, a Google security engineer, said Tuesday in a blog post that this method is undeniably effective, but it is not an exact science. Google provided a similar courtesy service last summer with a strain of rogue anti-virus software that was making the rounds.
“We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results,” Menscher wrote. “While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendation will always clean infected devices completely, so some users may need to seek additional help.”
DHS, in the blog post, recommended that users visit the DNSChanger Working Group website to test their computers for infection and to receive instructions on removing the trojan.