Digital Doomsday: Why the Web May Go Dark for Millions March 8
Contrary to rumors currently popping in emails and on chat forums, the FBI will not be shutting down the entire Internet on March 8.
However, the agency may be pulling the plug on special Web servers that maintain Internet access for millions of users worldwide whose PCs, Macs and home and office routers were infected by a malware package called DNSChanger.
DNSChanger changed the Internet settings on those machines so that normal Web traffic would be redirected through servers controlled by cybercriminals. The gang behind the malware was busted in November and its servers were taken offline.
But because an estimated 4 million computers worldwide had been infected and would lose Internet access, the FBI arranged for a private company to run identical surrogate servers for another four months, until March 8. That was thought to be long enough to clean up infected machines.
Three and half months later, an estimated 500,000 individuals in the U.S., and possibly another 2.5 million overseas, are still using computers infected with DNSChanger. The Justice Department has asked a judge to order that the surrogate servers be kept online for another four months, but the judge has yet to respond.
The Internet cutoff part of the story is getting the most press, but according to Neil Roiter, director of research at Corero Network Security in Hudson, Mass., there are other dangers lurking with a DNSChanger infection.
"The DNSChanger disables anti-malware applications and exposes computers to malicious websites," Roiter said. "Devices are likely to be suffering additional infection, and pose a danger to other computers and risk theft of sensitive information on corporate and government agency networks.
"Employees working inside the corporate perimeter, remote workers and employees who connect to the corporate network with their home devices are all placing the business at risk," he added.
Larger enterprises have processes in place to identify network risk and secure vulnerabilities, though not all of them have implemented them in this case. Small businesses and home networks are more susceptible, as they might not have the tools necessary to spot the Trojan.
What to do
So how do you know if your computer is at risk? The easy way to check is to use a site such as the DNSChanger Eye Chart, which will have a green background if your computer appears to be safe. A red background shows a problem is lurking.
If you don't want to trust that quick check — apparently there is a risk of false negatives — or if you want to take a few extra steps just to make sure your computer is clean, run an up-to-date anti-virus scan on any potential system that may be infected.
"Users can also manually inspect certain Windows registry keys to identify infections," said Brian Jacobs, senior product manager for Lexington, Mass.-based network-management company Ipswitch. "Home systems that are infected will likely have trouble connecting to the corporate VPN system, if it utilizes a hostname (instead of a raw IP address) to connect. Additionally, connecting to a corporate VPN while infected with a Trojan will increase the chances of the entire corporation getting infected."
If there is a problem, Roiter said help is available, though it may be only for those with advanced networking skills.
"Various companies and groups, for example, are listed on the DNSChanger Working Group website," he said. "They can guide you in identifying infected devices for those organizations that have Autonomous System Numbers. Other organizations will have to check individual computers."