Computer users urged to check for malware
WORTHINGTON -- When DNSChanger malware first surfaced in 2007, it caught the attention of the Federal Bureau of Investigation (FBI). More than 4 million computers in 100 countries were affected, including computers belonging to individuals, businesses and government agencies such as NASA.
According to the FBI, crooks used the virus to manipulate the multi-billion dollar Internet advertising industry, generating at least $14 million in illicit fees. DNSChanger was used to redirect unsuspecting users to rogue servers -- a Domain Name System server operated by a criminal. When users of infected computers clicked on a link for an official website, of iTunes, for example, they were taken instead to a website unaffiliated with the official site.
In an investigation dubbed "Operation Ghost Click," the FBI uncovered a network of rogue DNS servers and made arrests in 2011. Six cyber criminals were taken into custody, and U.S. authorities seized computers and rogue servers at various locations. As part of a federal court order, the rogue DNS servers were replaced with legitimate servers in the hopes that users who were infected would not have their Internet service disrupted. Agents had determined that if they turned off the malicious servers being used to control the computers, all of the victims would lose Internet service.
Those servers will be shut down Monday, and anyone infected with the malware will lose Internet access, according to an alert from the Better Business Bureau. The FBI believes about 360,000 computers are still infected.
"I've been removing this infection from machines for months, and it's a particularly nasty one to completely remove, but I haven't seen it now for few weeks," said Margo Davis, owner of Combined Computers in Slayton. "Hopefully we've got it under control."
Davis said there would be indications if a computer was infected -- the machine would have been having issues with the Internet such as losing connection completely or intermittently, being exceptionally slow and being redirected to sites the user had not intended to go.
"I'd been dealing with this a long time before I totally understood the depths of the infection," she said.
The replacement servers did not and will not remove the DNSChanger malware, and those who think their computer could be infected should consult a professional, the FBI recommends. The DNSChanger Working Group was formed to help victims identify the problem, and their website at www.dcwg.org offers a list of free removal tools. If infected users have recently visited Facebook or Google, they may have seen a warning about the user's computer being compromised. Both services were posting notices to systems infected with DNSChanger and offering advice.
At the DCWG site, there is a place users can click and check their computer for the virus, but the warning beneath it states, "Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI's website at: http://www.fbi.gov/news/stories/2011/november/malware_110911."
Davis said she hopes people will not panic, because the virus can be fixed.
"But people also need to keep good protection on their systems and be careful what they click on," she added. "You can't be too careful anymore, and this is a good wake-up call."
Daily Globe Reporter Justine Wettschreck may be reached at