Users must wipe DNSChanger malware from PCs and Macs before 12:01 a.m. ET July 9

Computerworld - As many as 300,000 PCs and Macs will drop off the Internet in about 65 hours unless their owners heed last-minute calls to scrub their machines of malware.

According to a group of security experts formed to combat DNSChanger, between a quarter of a million and 300,000 computers, perhaps many more, were still infected as of July 2.

The dns-ok.us website quickly tells users whether their PC or Mac is likely infected with DNSChanger.

DNSChanger hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled real domains.

At one point, as many as 4 million PCs and Macs were infected with the malware, which earned its makers $14 million, U.S. federal authorities have said.

Infected machines will lose their link to the Internet at 12:01 a.m. ET Monday, July 9, when replacement DNS servers go dark.

The servers, which have been maintained under a federal court order by Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software, were deployed last year after the Federal Bureau of Investigation (FBI) seized more than 100 command-and-control (C&C) systems during the take-down of the hacker gang responsible for DNSChanger.

The FBI's "Operation Ghost Click" ended with arrests of six Estonian men -- a seventh, a Russian, remains at large -- the C&C seizures, and the substitution of the replacement servers. Without the substitutes, DNSChanger-infected systems would have been immediately knocked off the Internet.

Originally, the stand-in servers were to be turned off March 8, but a federal judge extended th... to July 9.

It's not just consumer PCs and Macs -- DNSChanger was equal-opportunity malware -- that remain infected, but also corporate computers and systems at government agencies, said Tacoma, Wash.-based Internet Identity (IID), which has been monitoring cleanup efforts.

Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies -- or 3.6% -- also had failed to scrub all their PCs and Macs.

The newest numbers were down from earlier scans by IID. In March, for example, the company pegged the Fortune 500 DNSChanger infection rate at 19% and the government agency rate at 9%.

In January, both groups' rate was an amazing 50%.

But there are still tens of thousands of laggards who have not cleaned their computers, even after a months-long effort by the DNSChanger Working Group (DCWG), a volunteer organization of security professionals and companies.

"We're all struggling with this," said Rod Rasmussen, chief technology officer of IID and a member of the DCWG. "There are a lot of people who just haven't gotten the word."

The cleanup, Rasmussen said, has been the tough part of the DNSChanger takedown.

"There was a lot of planning done for the initial takedown, the arrests, the swapping of servers, but there wasn't as much for after the take-down," said Rasmussen. "How do we clean things up? Victim remediation is a challenge for our industry. Everyone wants to do it, but how do you pay for it?"

Ensure the FBI doesn't shut down your PC on July 9

By

Dave Johnson

(AP)

Please let all 300,000 belong to either Ditto Heads, rappers, or both. Amen.

I think if you get a message on Facebook or Google warning about "I think your computer might be infected", chances are your internet will shut down on the 9th. Though I can't get into that dns-ok website I think believe my connection's OK.

Further reading is it seems that only about 70,000 computers in the U.S. are still infected with that DNSChanger thing. This malware thing was expected to shut down on March 8 but was pushed back to the 9th of this month.

TIME article about this

Security & Privacy

DNSChanger: No, the Internet Isn’t Shutting Down on Monday

By Matt Peckham | July 6, 2012

Dozens of news outfits are amping up this DNSChanger malware “event” on Monday with stories bearing apocalyptic titles like “Countdown to Internet Doomsday: Will Your Computer Survive?” or “How to survive internet doomsday” or “End of the Internet? ‘Doomsday’ virus will crash thousands of computers on July 9.”

My personal favorite: “Five reasons DNSChanger victims deserve to lose the internet.” Because nothing says “helping bewildered consumers” like distorting what’s at stake to justify an almost gleefully callous (but eye-catching!) headline.

(MORE: DNSChanger: FBI Warns Infected Computers Will Lose Web, Email Access in July)

When I click on any of these, I half-expect to find pictures of Bat Boy, his half-human, half-nocturnal mammalian mouth opening like a cartoon opera singer hitting the money note, his hands at his face Macaulay Culkin-style, his computer melting like the Wicked Witch into a pool of sludge.

What’s actually going down on Monday is far less theatrical.

No, the Internet isn’t shutting down. Not even close. What is happening, is that the FBI will turn off a couple servers (really, just two) that it originally architected to thwart the spread of an opportunistic and irritating (but otherwise innocuous) bit of malware.

And when the two servers do go dark, computers still infected with the malware — currently dependent on those FBI servers to access the Internet — will lose their ability to translate web addresses into IP addresses. For these people — a number some are still calling as high as half a million, but which experts place at less than 250,000 worldwide (and well below 70,000 in the U.S.) — that means any network requests made using web addresses won’t work.

I explained this in detail back in April, so here’s the Cliff’s Notes version:

Cyber-thieves created malware in 2007, dubbed “DNSChanger,” that manipulated the way Internet ads appeared in infected computer browsers, allowing the cyber-crooks to rack up millions in illicit fees.

The malware depended on a basic Internet principle called DNS (Domain Name System), which is how Internet routers know where to send your Internet requests — that is, how to translate a URL like “www.time.com” into a numeric IP address when you type it into your browser’s address bar.

Computers infected by DNSChanger had their local DNS information changed and were redirected to fraudulent servers, which delivered web-based ads that eventually channeled millions of dollars to the malware authors.

But the bad guys were caught last November and their servers seized. Given the number of infected computers, the FBI elected to leave the servers running sans ads, instead launching an awareness campaign to get users to disinfect before a shutdown date: July 9, 2012.

When the servers go dark, DNS-related Internet activity on any remaining infected computers will no longer work. How many people are we talking?

In a refreshingly sober piece, “Malware Monday: Much Ado About Nothing,” Eric Chabrow chats up DCWG spokesman Barry Greene (whose job it is to warn people about the malware, mind you):

Think about it: Various estimates place the number of PCs worldwide at between 1 billion and 2 billion. That means the 250,000 or so still-infected computers represent fewer than 2-100ths of a percent (0.02 percent) of all PCs in the world. That’s about the number of PCs a botnet hunter commandeers in a single day, Greene says, adding: “It’s no big deal.”

Here’s the deal. If you haven’t already, click this simple infection checker, run by the DNS Changer Working Group (DCWG) to determine if your computer has the malware (you’ll get an instant thumbs up or down). If not — celebrate good times! — you’re free and clear.

And if you are infected? No need to go all Dr. Peter Venkman like the rest of tech-dom, just be sure to visit the DCWG’s “fix” page today (or by this weekend) and follow a few simple, undramatic steps to cleanse your computer.

----

So much ado about nothing. Unless you still got an infection, chances are the internet will still be up and running on July 9th. This sounds more like a scare tactic.

Still, check to see if you still got malware in your computer. The DNS-OK site is not working so if you have that Anti-Malware Bytes software, check it through there. If none of your drives have it, you're cool.

RodeoSchro said:

Please let all 300,000 belong to either Ditto Heads, rappers, or both. Amen.

Okay, you know I always need you guys to hip me onto the latest lingo: Rodeo, what on earth are Ditto Heads???

Ottensen said:

RodeoSchro said:

Please let all 300,000 belong to either Ditto Heads, rappers, or both. Amen.

Okay, you know I always need you guys to hip me onto the latest lingo: Rodeo, what on earth are Ditto Heads???

LOL, that particular phrase is at least 20 years old.

The sheep that listen to Rush Limbaugh have, for over two decades, started almost every phone call to his show with the phrase, "Mega dittoes, Rush!" meaning that they heartily agree with whatever tripe he had just said.

So his followers became known as "Ditto Heads".

maybe that would not be such a bad thing for me

well if anyone is not sure about their pc any one of these tools will scan and remove the threat..

Hitman Pro (32bit and 64bit versions)

http://www.surfright.nl/en/products/

Kaspersky Labs TDSSKiller

http://support.kaspersky.com/faq/?qid=208283363

McAfee Stinger

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Microsoft Windows Defender Offline

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Microsoft Safety Scanner

http://www.microsoft.com/security/scanner/en-us/default.aspx

Norton Power Eraser

http://security.symantec.com/nbrt/npe.aspx

Trend Micro Housecall

http://housecall.trendmicro.com

MacScan

http://macscan.securemac.com/

Avira

http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool