Computer virus July 9 News

Check your computer for the virus
March 9, 2016 – 12:07 pm
But the virus lives on

si-fbi-rtr2nqsgThe FBI, in association with international law enforcement, managed to track and apprehend six Estonians using an ostensibly legitimate front company who had organized a sophisticated system of false DNS servers.

These servers rerouted the web browsers of infected computers to sites of the hackers' own choosing, some of which were fraudulent in nature.

Computers were forced to connect to the internet through these servers by a customized virus called DNSChanger that was distributed along conventional channels, such as infected emails, bad websites, and malware scripts.

When it broke up the hacking group in 2011, the FBI established temporary 'clean' servers in place of the bad ones so that computers infected with DNSChanger wouldn't suddenly be cut off from the internet.

However, the contract to maintain these servers will end July 9, resulting in their shutdown.

"An extension has not been requested, " says Jenny Shearer, a spokesperson for the FBI's National Press Office.

The FBI and international law enforcement caught the people behind Rove Digital in 2011. (REUTERS/Chris Morgan/Idaho National Laboratory)

According to Paul Vixie, chairman and founder of the Internet Systems Consortium (ISC) that has been operating the temporary servers for the FBI, the fraud had snared nearly 650, 000 machines worldwide, about 25, 000 of which were in Canada. He says the scheme is also estimated to have netted nearly $20 million over four years for those behind the virus.

Since November 2011, the number of computers still infected with DNSChanger has dropped substantially to 275, 000 worldwide. In Canada, only about 7, 000 machines are estimated to remain infected, as a result of efforts by the FBI and computer security companies to get users to follow instructions on how to check for and remove the virus.

However, for the thousands of users whose computers are still infected with DNSChanger, their machines will continue to redirect towards the DNS address supplied by the virus. They won't be able to get online unless they clear the virus from their computer.

dnschanger-chartCanadians affected by DNSChanger (CBC News)

What is DNS?

To properly understand how the ring's servers were able to operate for so long, it serves to understand the basics behind the technology. DNS is short for Domain Name System, a tool that converts numeric Internet Protocol (IP) addresses used to route traffic on the internet into text-based domain names that are easier for people to remember and type into a browser — i.e. the IP address into

The DNS is a vital support for how people interact with the internet, and many services like email or internet browsing would be severely crippled without it.

DNS servers hold IP addresses and their corresponding text-based domain names and form a hierarchy, with each DNS server connecting to both clients as well as higher-level DNS servers. Each server progressively holds a greater share of internet addresses, eventually reaching up to the primary 13 root servers that have access to every domain in the world.

The mechanics of the plot

According to Trend Micro, an internet security firm that assisted the FBI in its investigation, the servers were controlled through an IT company named Rove Digital in Tartu, Estonia.

In the indictment outlining the plan, the company was said to have used several elements to pull off the scheme. First, the false DNS servers were set up and opened an alternative route for computers to connect to the internet, as opposed to a user's own Internet Service Provider's DNS server.

In the second step, the indictment says the members of the team, one of whom is still at large, developed and disseminated DNSChanger, a tool that changed the infected computer's default DNS servers to route to the false ones when browsing the internet.

When a user would enter the alphanumeric name for a site through their web browser or search engine, the fake DNS server that the virus rerouted the request to would provide an alternate IP address that led to a different website.

Some of the sites were in and of themselves legitimate, like H&R Block; others were more obvious frauds, like a non-Apple affiliated site which purported to sell Apple products. In the case of the former, the servers redirected requests from users who had intended to go to the IRS website, and in the latter, users had wished to go to the iTunes store.

As the IP address generally remains hidden by most web browsers, a typical user wouldn't know why or how they were sent to a different online location than the site they originally intended to visit.

However, the fraud was only conducted for certain websites, allowing some other requests to continue on the DNS chain undisturbed. This made the manipulation harder to detect.

Victims of DNSChanger may not even know they're infected until the FBI's temporary servers go offline. (REUTERS/John Adkisson)

The company, Rove Digital, is accused of making money from the nearly 650, 000 infected computers by receiving 'per-click' revenue from advertisers, an otherwise legal method that rewards popular sites that refer users to sites being advertised, according to the official New York indictment and the FBI's Shearer.

For each person who visited the advertising sites, the team is accused of making a small referral fee from the advertiser, eventually racking up millions in commissions.

What to do if you're still infected

With users no longer being routed toward fraudulent sites after the FBI stepped in, and being sent to the temporary clean DNS server instead, the virus lost most of its bite. However, as long as it remains on a user's computer, it will continue to force a web browser to try and route through the temporary DNS servers, even when those servers are taken offline.

It also has the harmful effect of preventing some anti-virus software packages from updating their virus definitions, which is a problem for most people.

To help users identify and remove the virus, the Canadian Internet Registration Authority (CIRA), in collaboration with the Canadian Cyber Incident Response Centre (CCIRC) and the Canadian Radio-television Telecommunications Commission (CRTC), have also directed Canadians who believe their computers may have the virus to visit . The website is designed to check if a computer is using an address that falls within the range utilized by the false DNS servers.

You might also like
Action 9: Computer virus demands money from users
Action 9: Computer virus demands money from users
News Alert For July 9 Doomsday Virus Shutdown For Internet
News Alert For July 9 Doomsday Virus Shutdown For Internet ...
Microsoft Publisher 2007 Quick Reference Card - Handy Durable Tri-Fold MS Publisher 2007 Tip & Tricks Guide. 6 Total Pages. Stores Easily. Ultimate Reference for Shortcuts, Tips & Cheats for MS Publisher 2007. (Software Quick Reference Cards)
Book (BrainStorm Inc.)
Popular Q&A
Where can I get computer virus news? | Yahoo Answers

Or if you want more in depth news and info on security Leo Laporte and Steve Gibson do a podcast that you can find at

Related Posts