10:44 AM CDT, July 9, 2012
Hundreds of thousands of Internet users whose computers are infected with a particularly nasty virus are now unable to access the Web.
The Federal Bureau of Investigation shut down Internet servers that it temporarily set up to support those affected by malicious software, called DNSChanger. Turning off those servers knocked all those still infected offline.
Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. The malware redirected infected users' Web searches to spoofed sites with malicious advertisements.
In November 2011, the FBI and some overseas partners arrested those responsible, commandeered their servers, and attempted to warn those affected to get rid of the virus.
The FBI did not immediately take down the rogue servers, as infected computers would have lost Internet access, an FBI spokesman said.
To remedy the problem, the FBI had the nonprofit Internet Systems Consortium set up temporary servers. That way, computer owners would have time to get rid of their malware.
The servers were supposed to be shut down in March, but hundreds of thousands remained infected. Nearly 211,000 computers worldwide (about 42,000 in the United States) still have the virus, according to the FBI's latest count on Monday. That's a large number, but it's a very small subset of the 1.6 billion PCs worldwide, of which an estimated 339 million are in the United States.
Still, the FBI decided to give people even more time to check for the malware, extending the deadline until July. The agency now says the time has come to cut the cord, and the emergency servers were shut down Monday morning.
Though the FBI tried to send notifications to those infected, it could not identify all of them, a spokesman said.
To help the users still infected, the agency laid out a step-by-step plan on how to check to see if your computer has the virus. The quickest way to see if your system is OK is to go to dns-ok.us, a site set up to check for the infection.
How did this all happen?
The servers the cybercriminals set up redirected search traffic to their own rogue servers, bypassing Google, Microsoft's Bing or other search engines' servers. Users would be shown fake search results that sent them to spoofed websites with manipulated online ads.
For example, when a user searched for Netflix and clicked on the fake search result, he or she would instead be redirected to an unrelated website called "BudgetMatch." If a user searched for ESPN and clicked through, DNSChanger would replace Dr. Pepper 10 ads on ESPN's website with an ad for a timeshare business.
The fraudsters made $14 million through those illegal ads, the FBI said.
The malware also prevented users from updating their operating systems or anti-virus software, which may have detected the virus.
Facebook and Google joined the awareness efforts by alerting users whose devices appear to be infected. Both sites display warnings and provide links to help get rid of the malware.
Copyright © 2014, WXIN-TV, Indianapolis