Skip to main content

Too Early To Tell If DNSChanger Was Overhyped

Despite last week's scary headlines, reports of problems caused by DNSChanger aren't as widespread as expected. That's definitely a good thing, but it doesn't mean Internet users are out of the woods just yet.

Here's the scoop so far: the FBI shut down government-sponsored domain servers earlier this morning that were used to keep DNSChanger-infected PCs and Macs online. Users infected with this malware were at one time possibly redirected to criminal-owned servers hosting legitimate-looking sites by way of modified DNS settings. Cybercriminals reaped profit from unsuspecting visitors thanks to paid advertisement.

DNSChanger has been circulating the Web since 2007, and at one point as many as four million PCs and Macs were infected, bringing in around $14 million to the malware authors. However the FBI finally shut down the operation last November -- ala Operation Ghost Click -- by arresting six Estonian men and seizing more than 100 servers. The government established substitute servers to keep infected Web users online while the campaign educated everyone about what happened and what needs to be done on the consumer end.

But with these stand-in servers now offline, Internet users still infected with the DNSChanger malware wouldn't have been directed to the FBI-supported sites. In fact, they wouldn't be able to go anywhere. The FBI claimed that around 275,000 computers were still infected and potentially wouldn't have Internet access on Monday when the malware triggered the traffic redirection.

But as of Monday evening, no major web disturbances from companies had been found. However there was a brief incident regarding New York City's subway ticket-vending machines which unexpectedly went down for about an hour. There was speculation that the outage was due to the malware, but the Metropolitan Transportation Authority said it was unlikely.

"There was a period of about an hour where debt and credit card were unable to be processed at metro card vending machines, but there is no indication that it has nothing to do with malware," a spokesperson told Mashable. "The issue is still under investigation."

"The number of customers affected [by DNSChanger] is very, very small," said Mark Siegel, an AT&T spokesman, said on Monday. A spokesman for Verizon's FIOS Internet service added that call centers had not seen any activity, that a very, very small number of customers had been affected.

Here in the U.S., the 45,619 IP addresses DCWG reported as infected as of July 4 represented just 0.02-percent of all Internet-able desktops and laptops, or just 2 out of every 10,000 PCs and Macs, reports Computerworld.

So was it just overblown hype similar to the end-days of Y2K? It could have been worse had the FBI not informed companies and Internet users alike about the possible problem. In addition to the FBI's website, broadband providers distributed warnings to their subscribers and well-established websites also posted warnings alone. The news media also helped to spread the word of Monday's potential risk.

Yet Dan Brown, director of security research at security firm Bit9 thinks it's too soon to brush DNSChanger off as a Y2K clone.

"It is too early to label DNSChanger as overblown hype like Y2K," Brown said in an e-mail statement. "It’s important to keep in mind that many of these infections are side effects of more serious malware infections. Companies should monitor their networks for DNS traffic going to the expected IP addresses and thoroughly investigate or reimage affected systems that they find."

He pointed out that many affected companies simply may not report any problems related to the malware.