Internet blackout for thousands begins Monday

@CNNMoneyTech July 9, 2012: 10:06 AM ET
As the FBI shuts down servers, hundreds of thousands of PCs infected with the DNSChanger malware could lose Internet access.

As the FBI shuts down servers, hundreds of thousands of PCs infected with the DNSChanger malware could lose Internet access.

NEW YORK (CNNMoney) -- Hundreds of thousands of Internet users whose computers are infected with a particularly nasty virus are now unable to access the Web.

The Federal Bureau of Investigation shut down Internet servers that it temporarily set up to support those affected by malicious software, called DNSChanger. Turning off those servers knocked all those still infected offline.

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. The malware redirected infected users' Web searches to spoofed sites with malicious advertisements.

In November 2011, the FBI and some overseas partners arrested those responsible, commandeered their servers, and attempted to warn those affected to get rid of the virus.

The FBI did not immediately take down the rogue servers, as infected computers would have lost Internet access, an FBI spokesman said.

To remedy the problem, the FBI had the nonprofit Internet Systems Consortium set up temporary servers. That way, computer owners would have time to get rid of their malware.

The servers were supposed to be shut down in March, but hundreds of thousands remained infected. Nearly 211,000 computers worldwide (about 42,000 in the United States) still have the virus, according to the FBI's latest count on Monday. That's a large number, but it's a very small subset of the 1.6 billion PCs worldwide, of which an estimated 339 million are in the United States.

Still, the FBI decided to give people even more time to check for the malware, extending the deadline until July. The agency now says the time has come to cut the cord, and the emergency servers were shut down Monday morning.

Though the FBI tried to send notifications to those infected, it could not identify all of them, a spokesman said.

To help the users still infected, the agency laid out a step-by-step plan on how to check to see if your computer has the virus. The quickest way to see if your system is OK is to go to dns-ok.us, a site set up to check for the infection.

How did this all happen?

The servers the cybercriminals set up redirected search traffic to their own rogue servers, bypassing Google (GOOG, Fortune 500), Microsoft's (MSFT, Fortune 500) Bing or other search engines' servers. Users would be shown fake search results that sent them to spoofed websites with manipulated online ads.

For example, when a user searched for Netflix (NFLX) and clicked on the fake search result, he or she would instead be redirected to an unrelated website called "BudgetMatch." If a user searched for ESPN and clicked through, DNSChanger would replace Dr. Pepper (DPS, Fortune 500) 10 ads on ESPN's website with an ad for a timeshare business.

The fraudsters made $14 million through those illegal ads, the FBI said.

The malware also prevented users from updating their operating systems or anti-virus software, which may have detected the virus.

Facebook and Google joined the awareness efforts by alerting users whose devices appear to be infected. Both sites display warnings and provide links to help get rid of the malware. To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.