ISPs downplay DNSChanger impact as substitute servers go dark

Clean-up efforts in the last three weeks reduced U.S. infection count by 34%

Government-sponsored servers designed to keep DNSChanger-infected PCs and Macs online were switched off earlier today as scheduled, but several major U.S. Internet service providers downplayed problems to their customers.

The number of IP addresses with infected machines had fallen since mid-June by 34% in the U.S., according to July 4 data from a group of security experts formed to combat the malware. Worldwide, the infection count decreased by 19% in the same period, said the DNSChanger Working Group (DCWG).

DNSChanger, which had hijacked users' clicks by modifying their computers' domain name system (DNS) settings, shunted DNS requests to the criminals' own servers. The hacker-controlled DNS servers then redirected victims to malicious sites that resembled real domains.

At one point, as many as four million PCs and Macs were infected with the malware, which earned its makers $14 million, U.S. federal authorities have said.

As part of last November's "Operation Ghost Click," the FBI arrested six Estonian men -- a seventh, who is Russian, remains at large -- seized more than 100 servers operated by the gang, and then substituted replacement DNS servers for those taken offline. Without the substitutes, DNSChanger-infected systems would have been immediately knocked off the Internet.

Instead, the substitute servers, which were maintained under a federal court order by Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software, kept victims online until 12:01 a.m. ET today, when their plugs were finally pulled.

Originally, the stand-in servers were to be turned off March 8, but a federal judge extended the deadline to July 9.

Although some headlines last week touted the impending shutoff as a doomsday event, the number of people affected was actually quite small considering the number of Internet-capable desktops and notebooks.

In the U.S., for example, the 45,619 IP addresses DCWG reported as infected as of July 4 represented just 0.02% of all Internet-able desktops and laptops, or just 2 out of every 10,000 PCs and Macs.

Several large U.S. ISPs also noted the small number of victims. "The number of customers affected [by DNSChanger] is very, very small," said Mark Siegel, an AT&T spokesman, today.

"A very, very small number of our customers have been affected," echoed Alberto Canal, a spokesman for Verizon's FIOS Internet service. "Our call centers are not seeing any activity."

Some ISPs, including both AT&T and Verizon, are keeping customers online by directing their DNS requests to special servers that kicked in when the FBI's replacement systems went dark earlier today.

Siegel said AT&T would operate the substitute-substitute DNS servers until the end of 2012, while Canal said Verizon would run those for its customers through this month only.

Verizon's redirection also steers customers to a site that warns customers that their PC, Mac or router has been infected by DNSChanger, and walks them through malware cleaning steps.

Comcast, which did not respond to a request for comment on how it was handling the outage, has a similar page on its website that is displayed to infected customers.

Users who find that they cannot access the Internet today can contact their ISP for assistance, or if they're do-it-yourselfers, can download an antivirus program using a machine that can connect to the Web, place it on a USB flash drive, then install it on the affected PC or Mac to scrub it of the malware.

Among the antivirus choices are several free titles, including Microsoft's Security Essentials for Windows and Intego's VirusBarrierX6 trial edition.

Infected routers -- the devices that manage Wi-Fi home networks -- require more manual sleuthing to clean. The best place to start is at the router manufacturer's support website.

Once the system has been disinfected, users must restore the machine's DNS settings. Those settings can be obtained from one's ISP, or the user can switch to a free DNS service, such as OpenDNS, by following the instructions in the No. 2 section of this page.

AT&T and Verizon said they would continue to reach out to affected customers via phone, email, mailed messages and even pop-ups that appear on the screens of infected computers to continue the clean-up effort.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon