The DNSChanger malware modified the local DNS settings of an infected PC. This meant that criminals could assume control over the DNS resolution of the victim computer, effectively redirecting it to any destination of their choice, rather than the bank or search engine the user originally intended to visit (for example).
This ability was used primarily for click fraud by the Esthosts gang, redirecting searches and sites, to generate revenue by defrauding advertisers and advertising networks.
PCs which are still infected by the malware, or whose settings have not been corrected, even after the infection was cleaned up, are still querying those criminal servers. The FBI have been operating those servers since the warrant was executed, but their right to do so has now expired and the servers will be shut down. Meaning that any queries from those 300,000 computers will fall on deaf ears and to all intents and purposes, the web will go dark for the affected users
At the time when Trend Micro co-operated with the FBI in bringing the Esthosts gang to justice, we believed about 4 million PCs to be affected. This number has since dropped to about 300,000 and this should be considered a success. However with the definitive shut-off of the criminal DNS servers today, those 300,000 people face a potential total loss of web access.
If you’re reading this, you’re ok, but if your neighbour comes to your door asking who broke the Internet, now’s your chance to play knight in shining armour. And if you work on an ISP help desk… May the force be with you!
Image Credit: Camera Eye Photography