Internet will vanish Monday for 300,000 infected computers

Users must wipe DNSChanger malware from PCs and Macs before 12:01 a.m. ET July 9

1 2 Page 2
Page 2 of 2

The DCWG worked extensively with ISPs (Internet service providers) to help them alert customers with infected computers -- identified by their being shuttled through the replacement servers -- and advise them on removing the malware. The group also reached out to enterprises, government agencies and other organizations to offer the same assistance.

At times, that worked.

"Some ISPs have been very draconian," said Rasmussen, citing providers that repeatedly called, emailed or phoned members with infected computers. "Some worked hard at a fair amount of expense."

Others instead prepared for the support calls they expect to field starting Monday when startled customers realize they can't get online. "They're staffing up for [Monday], they know that they're going to get [a large number of calls]."

For those that have done nothing, Monday will be rough, Rasmussen predicted. "For some ISPs, this may be a real flap," he said.

But the project was sometimes frustrating.

One company, which Rasmussen would not name, had cleaned all its machines of DNSChanger, but was repeatedly re-infected. Finally, the firm discovered that laptops connecting to its public Wi-Fi network were spreading the malware, and even narrowed the list of suspects to the media because the timing of the re-infections coincided with press events the corporation held on its campus.

Even so, the effort has been worthwhile, not simply to ameliorate the impact, but as a learning experience for future such takedowns, or of "sinkholing" botnets in general.

"What we need in the future is a real-time alerting capability," said Rasmussen, and described a system that would immediately notify a user if his or her computer had been shunted to a substitute server. The idea was discussed by the DCWG, but never implemented because it would have required much more hardware and support than was available.

"Someone has to support this volunteer effort," said Rasmussen, who didn't have an answer for where that support, whether financial or other resources, would come from.

Two of the Internet biggest companies have also pitched with their own anti-DNSChanger campaigns.

In late May, Google began warning infected users with a bannered message at the top of the company's search results page. Several days later, Facebook kicked off a similar alert for its members.

Users have access to several free tools that identify infected computers, including several that just debuted under the DCWG's auspices. In the U.S., for example, users can steer to the website. Other detection sites are listed on the DCWG's domain.

The DCWG's website also has links to free tools that remove the malware.

But perhaps the loss of the Web is the only wake-up call some users will hear, Rasmussen said.

A few in the DCWG lobbied to stick to the original March 8 deadline and against an extension, believing that only a "tough love" approach would work, said Rasmussen.

"Some people haven't been paying attention to the messages," he said. "It's not a lot, but they're very reticent to do anything."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon