With a deadline for users to disinfect their computers or potentially lose Internet access thanks to the DNSchanger malware, Google is undertaking an effort to notify infected users through messages on search results pages. The federal government also is working to warn users about the infections and potential consequences if their machines aren’t cleaned by July 9.
The July deadline is the day when a court order keeping the DNS servers used as part of the malware operation up and running will expire. In November, the FBI arrested six Estonian citizens who they alleged were behind the DNSchanger campaign and in the process they discovered that there were millions of victims whose DNS settings had been changed as a result of the malware infection. As part of the infection, DNSchanger modifies the DNS settings for users’ machines and redirects them to malicious sites.
After the arrests, the FBI took control of the DNS servers used in the operation and has been operating them for the last few months. In March, there were still nearly 100,000 users in the United States who still were using those DNS servers, and the Department of Homeland Security is encouraging users to clean their machines as soon as possible.
Now, Google is hoping to get the word out to as many of the still-infected users as possible, a number that the company puts at about 500,000 worldwide.
“At the current disinfection rate hundreds of thousands of devices will still be infected when the court order expires on July 9th and the replacement DNS servers are shut down. At that time, any remaining infected machines may experience slowdowns or completely lose Internet access,” Google’s Damian Menshcer wrote in a blog post.
“Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it.”
Users who Google’s algorithms identify as being infected will see a message telling them that their computer appears to be infected. They will be shown a link to instructions for cleaning the infection, as well.
The DNSchanger malware was part of a larger operation known as Ghost Click, which relied on the redirected traffic from infected PCs as part of a pay-per-click scheme.