Deadline Approaches for Some Infected Computers

Reader K asks: "I read an article about a DNS changer virus that could cause our computer to lose Internet access on July 9 because of FBI arrests. Is there anything additional we need to do to protect ourselves?"

An interesting question, with both a simple answer, and a very interesting story!

If your computer has been professionally cleaned at any time since November 2011, you are most likely safe. If you require 100 percent certainty, there are a few tests you can perform to determine if this particular virus is running. The Federal Bureau of Investigation has a wealth of data on this virus, as well as the unique circumstances that put the government in control of the Internet "switch" on infected computers.

Beginning in 2007, six Estonian nationals were involved in what the FBI poetically described as an "intricate international conspiracy." Apparently the conspiracy business is a lucrative one, as they pilfered $14 million before their arrest last November. Their approach was to silently infect computers using a variety of methods, and then simply instruct the victim computer to ask computers controlled by the Estonians how to find whatever the victim wanted on the Internet. They would then intercept and forward whatever they wanted into other servers controlled by, or providing profit to, their conspirators.  

The problem was that when these servers were removed from the Internet, none of the victim computers would be able to access the Internet at all. To prevent this, the FBI arranged for a third party to set up servers that would provide victims with an accurate map of the Internet. About 4 million computers were infected by the conspirators, and according to an Associated Press article the FBI estimates that as many as 360,000 machines are still relying on the government funded servers for Internet access.

This will all end on July 9, when the feds will pull the plug on the servers. Most that are still infected will lose access to the web. It may have been costly to band-aid the infected computers, but hopefully the information gathered by the project can be put to use in combating similar problems.

If you'd like to be certain you aren't infected, you can quickly test your computer by visiting dns-ok.us in your preferred web browser. If you are infected, the page will state so, and give you instructions for removal. If not, you have one more step to take to ensure that you aren't infected. 

If your internet provider is already intercepting certain Internet traffic, it could mask the symptoms of the virus. You can test your ISP by running a nifty tool called Namebench. If all the servers they test come out scoring the same, you know that they are being intercepted. Each ISP and account type has its own opt out method for this service, but most will quickly shut it off for free if you request it. 

Once your Internet traffic is going directly to where it is intended, power users may want to use the Namebench results to switch their DNS server settings to the recommended configuration. This can help speed up page load times, especially on pages with lots of ads.

If you have a question you'd like to ask, or run into an interesting tech topic, let me know in the comments below or by emailing patchblog@budsandbytes.com