By Craig Masters
Monday afternoon February 20, the Greeley Gazette posted an informative article about the possibility that many computer users might lose their access to to the internet when, not if, the FBI shuts down servers it put into place last November to replace rogue computers operating malware called “DNS Changer.”
Almost immediately readers submitted comments such as, “Where the heck is Estonia?” One fellow asked how could six guys sitting around in a hut in some third world country hack the IRS? Good questions, but the most ironic inquiry was posted at 6:10am this morning questioning the story because that reader hadn’t seen such a story anywhere else.
Twenty minutes later, at 6:30am, Dave Johnson of CBS News posted:
“Why the FBI might soon cut off your Internet”
and reported the story much the same as published Monday in the Gazette.
In the interest of those who might want more evidence of such a problem before paying a computer professional to check their machine(s), this article contains additional background materials.
The defendants were indicted in U.S. District Court for the Southern District of New York. Arrests in Estonia were the culmination of 2 years of investigations, dubbed “Operation Ghost Click,” by law enforcement organizations in several countries.
Here is an excerpt of the information available from the FBI:
“The indictment, announced today (November 10 2010) , describes an intricate international conspiracy conceived and carried out by sophisticated criminals,” said Janice Fedarcyk, assistant director in charge of the FBI’s New York Field Office. “Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise. Thanks to the collective effort across the U.S. and in Estonia, six leaders of the criminal enterprise have been arrested and numerous servers operated by the criminal organization have been disabled.”
According to the indictment, the defendants waged the clickjacking scheme from 2007 to October 2011. They operated a number of companies that appeared to be legitimate Internet companies and worked with legitimate advertising brokers. Using a type of malware known as DNS Changer, they were able to take over victims’ computers. The malware surreptitiously changed DNS server settings on infected computers, allowing the defendants to redirect web browsers to websites and ads that generated revenue when users clicked on them. In some instances, DNS Changer prevented anti-virus programs from updating, leaving the infected computers open to more malware attacks.
A PDF available by searching the FBI web site explains that the replacement servers will not remove the DNS Changer malware—or other viruses it may have facilitated—from infected computers. Users who believe their computers may be infected should contact a computer professional. They can also find additional information in the links on this page, including how to register as a victim of the DNS Changer malware. The FBI’s Office for Victim Assistance will provide case updates periodically at 877-236-8947.
But for those who may still want a source outside the U.S. government, the German central police agency BSI web site from November 2011…
“BSI empfiehlt Überprüfung von PCs auf Schadsoftware “DNS-Changer”
roughly translated by this reporter: BSI recommends review of PC’s on malicious software, “DNS-Changer
The site continues: “Überprüfung des eigenen Rechners vor dem 8. März 2012 sinnvoll”
which says: Review of (your) own computer before March 8, 2012 makes sense
Verbreitet wurde die Schadsoftware durch das so genannte “DNS-Changer-Botnetz“, dessen Betreiber im November 2011 von der amerikanischen Bundespolizei FBI und europäischen Ermittlungsbehörden verhaftet wurden. Die von den Onlinekriminellen manipulierten DNS-
… those who spread the malware “DNS-Changer botnet” were arrested in November 2011 by FBI and European authorities….
Server wurden nach der Festnahme vom FBI durch korrekt arbeitende DNS-Server ersetzt. Diese Server sollen jedoch zum 8. März 2012 abgeschaltet werden.
The FBI installed replacement servers. However, these servers will be shut down March 8, 2012.
My apologies for the roughness of my translation. I do, however, believe I have captured the essence of the German’s press release.