Around 300,000 internet users across the world may lose their internet connections July 9 if their computers have been infected with the deadly “Alureon/DNS Changer bot” virus, the Federal Bureau of Investigation (FBI) has warned.
What is the DNS Changer Malware?
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Clickâ€. The criminals operated under the company name “Rove Digitalâ€, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Criminals have learned that if they can control a user’s DNS servers, they can control what  sites the user connects to on the Internet. By controlling DNS, a criminal can get an  unsuspecting user to connect to a fraudulent website or to interfere with that user’s online  web browsing. One way criminals do this is by infecting computers with a class of malicious  software (malware) called DNSChanger. In this scenario, the criminal uses the malware to  change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS  servers operated by the criminal. A bad DNS server operated by a criminal is referred to as  a rogue DNS server.
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers  with rogue DNS servers operated by the criminal. Second, it attempts to access devices on  the victim’s small office/home office (SOHO) network that run a dynamic host configuration  protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access  these devices using common default usernames and passwords and, if successful, changes  the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers  operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
It Prevents the Update of Anti Virus and Operating System
In addition to directing your computer to utilize rogue DNS servers, the DNSChanger  malware may have prevented your computer from obtaining operating system and antimalware updates, both critical to protecting your computer from online threats. This  behavior increases the likelihood of your computer being infected by additional malware.  The criminals who conspired to infect computers with this malware utilized various methods  to spread the infections. At this time, there is no single patch or fix that can be downloaded  and installed to remove this malware. Individuals who believe their computer may be  infected should consult a computer professional.
Why this problem came up this time?
The software found its way into thousands of computers worldwide last year. It redirects users away from trusted websites towards spoof websites in a bid to steal financial and personal information. When the attack was noticed, the FBI routed infected machines through its server to stop the attacks.
But the servers will be taken down July 9. When this happens, computers still infected are likely to lose their internet connection without warning. At 12:01 a.m. EDT, the FBI planned to shut down the Internet servers set up as a temporary safety net to keep infected computers online for the past eight months. The court order the agency obtained to keep the servers running expired, and it was not renewed.