With a deadline to pull surrogate servers extended, the FBI has launched a new campaign to prevent up to 350,000 computer users from losing Internet access this summer – including those tied to Fortune 500 companies and government agencies like NASA.
Over the weekend, news media outlets began promoting a new Web site that helps users determine if their machine is infected with the DNS Changer trojan believed behind a four-year, $14 million-plus scam that redirected infected machines to bogus servers. The malware sent users to hacker-created advertising sites and disabled antivirus software and system updates. Many users, however, noticed little change other than a possible slowdown in service.
Following the arrest of six Estonians in November on fraud charges in connection with “Operation Ghost Click,” as the investigation was known, federal officials worked with The Internet Systems Consortium to create clean DNS servers in New York to handle requests from infected systems. At the time an estimated 2 million machines worldwide, including a half million in the United States, were believed to be infected.
The FBI also asked global Internet registries to establish a way for ISPs to flag infected hosts without cutting them from the Internet. At one point, a security researcher was reporting half of all Fortune 500 and 27 of 55 government entitites were among the victims.
Those temporary servers were due to come down in March, but so many machines remain infected that a judge granted an extension to July 9 for the takedown. That led the FBI to wage a public awareness campaign and new Web site to reduce, if not eliminate, a significant global outage once the servers are taken offline.
Several news outlets noted heavy traffic Monday on the new FBI site to instantly detect clean versus contaminated computers incurred heavy traffic, suggesting the public awareness campaign was working. For those found to be carrying DNS Changer, the site provides instructions to remove the malware.
Those that fail to clean their machines before the temporary DNS servers are taken down will have to laod AV software using a peripheral, such as a USB device. First, though, they’ll need another Web-enabled machine to download the software.