In the last step of an international effort to break up an Estonian cybercrime ring, the FBI is planning to switch off bogus domain-name servers formerly controlled by the criminals on March 8, potentially disabling Web access for hundreds of thousands of users still infected by the criminals' malware.
The FBI investigation, Operation Ghost Click, last November took down the gang responsible for infecting at least a half-million computers in the U.S. with a piece of malware called "DNSChanger," which enabled the crooks to hijack Web traffic and reroute it to rigged sites. The hackers collected $14 million in income from fraudulent advertisement revenue in the process.
The malware was found on computers at half of all Fortune 500 companies and at 27 government agencies.
About 450,000 computers are still infected with the Trojan, the DNS Changer Working Group recently reported. (The DCWG has a tool on its website to determine if your computer is harboring the malware.)
Following the November bust, the FBI set up temporary Domain Name System "surrogate" servers to enable Web access for those PCs infected by the DNSChanger Trojan, researcher Brian Krebs explained. However, the court order permitting the surrogate servers gave the FBI only until March 8 to operate them.
In three weeks, any computer still infected with DNSChanger will have difficulty getting online. DNS servers translate text-based Web addresses such as "www.securitynewsdaily.com" to Internet Protocol address numbers such as "184.108.40.206." A malfunctioning or missing DNS server will prevent the former from working, though savvy Web users can simply replace it with the latter.
As Chet Wisniewski from the security firm Sophos explained :"The FBI seized control of the rogue DNS servers that were being used by the victim computers and ensured they produced correct DNS answers. If the servers go down, any machine currently relying on them for DNS name services will cease to be able to browse the Web, read email or do just about anything on the Internet at all."
But Wisniewski, noting that few owners of the infected computers have taken steps to purge their systems of the DNSChanger Trojan, believes the FBI's decision could be a positive step in raising awareness of security vulnerabilities and getting people to take a more active role in securing their systems.
"You can't survive cancer by not getting tested," he wrote. "Keeping your machine infected so you can surf is not likely the best strategy."
About the infected DNS servers, Wisniewski added: "I say turn them off. It will be a rude wake-up call but an unfortunately necessary one. We all have responsibility for our own security and safety, and it isn't the job of the FBI or anyone else to coddle those who haven't taken the steps to ensure their own safety."