Victims of the DNS Changer malware think they have better things to do than check their internet security, and as a digital society we're dealing with malware in completely the wrong way.


These are the thoughts of Paul Vixie who worked with the FBI in intercepting servers used by a gang of Estonian hackers who made millions of dollars from redirecting internet users away from the websites they requested, directing them to advertisements instead.

At its height, DNSChanger infected four million computers in 100 countries, with around 300,000 still under its control - something many victims are unaware of and unable to fix.

One night in November, 2011, Vixie's job was to install two replacement severs among a network of computers seized by the FBI and previously used by the cyber criminals to run DNSChanger.

Due to the huge number of infected computers, simply shutting the network down would result in millions of victims "going dark" and being unable to visit websites, so the FBI had to take over the network and keep it running while victims were informed about how to fix the problem.

It was important to keep the servers online, Vixie explains, "because victims of DNSChanger were dependant on the assets that the FBI needed for evidence, and none of us wanted a half a million DNSChanger victims to 'go dark'."

A court order allowing Vixie's company Internet Systems Consortium (ISC) to install and maintain the servers was extended from its original expiry date of 9 March, 2012 to 9 July, giving the company an extra four months to notify 500,000 web users that their internet connection still routed through the DNSChanger servers.

Reinstalling Windows was initially the only surefire way of removing the DNSChanger malware, along with reconfiguring the victim's router.

Vixie explains: "Most internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows. So, even when we could identify and notify a victim, we had a hard time 'closing the deal'."

The FBI's replacement servers were switched off this morning, 9 July, meaning that any internet users who have not reinstalled Windows or removed DNSChanger from their computers may not have access to the internet.

"On 9 July, 2012 the replacement DNS servers operated by ISC will be shut down and any victims who still depend on these servers will face new risks," Vixie says in a post on Circle ID.

"Notice I'm not saying that they 'will go dark' [lose their internet connection] since that's not entirely clear. Some of them will go dark, some of them will face long delays on every web page they visit, some might not show any symptoms at all.

"The long term risk I foresee is that some new criminal empire (or more than one) will offer services to replace ISC's, and they will easily recapture a large part of the DNSChanger victim population."

Vixie adds that there are anonymous ways to do this that don't leave tracks, so not every criminal who does this will be automatically detected and arrested.

Taking the Conficker virus as another recent example of computer malware, Vixie predicts an uncertain future where computer users don't understand or simply don't care about the risks involved.

Summing up, Vixie says: "These victims seem to feel that [they] have more important things to worry about. My gut feeling is that they're wrong, but I can't seem to prove it. My other gut feeling about all this is that we, as a digital society, are doing this all wrong."