Last Monday, July 9, around 300,000 Internet users lost connectivity because they still had not removed their DNS Changer malware infection. Immediately after the take down of the DNS Changer network infrastructure of Rove Digital on November 8, 2011, the FBI set up clean DNS servers for infected victims. These servers were temporary solutions for the victims who had three months (which was later extended to six months) to clean their infected machines.
Actually, a major blackout for hundreds of thousands of DNS Changer victims happened before: in fall 2008 when webhosting provider Atrivo went dark. Back then, Rove Digital had most of its computer servers running in the datacenter of Atrivo. In 2008, Atrivo’s going dark resulted in more than half of the rogue DNS servers going down for several days. So during those days, most DNS Changer victims could not use the Internet either. However soon after, Pilosoft, a webhosting company in New York, came to rescue the criminal operation of Rove Digital. Most of the DNS Changer infrastructure moved to the Pilosoft datacenter. This is just one of the details of the Rove Digital takedown we described in our white paper, which can be downloaded here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_rove_digital_takedown.pdf
Some media outlets dubbed July 9, 2012 as Internet doomsday. July 9 has passed and it looks like that doomsday prediction did not come true, just like any other doomsday announced by mortals happens to be a non-event.
However, let me point out that although doomsday did not have massive repercussions, this doesn’t say that there was no damage done.
300,000 computers (others estimate it at about 500,000) going offline worldwide may not have any measurable effect, but loss of productivity and computer repair costs are real concerns. This might even translate to millions of dollars. Let me be clear, though: Rove Digital is responsible for this damage, not the FBI, nor any other party. Since the victims are spread all over the world, we do not expect to hear complaints. Moreover, a lot of the large ISPs in the US and Canada have carefully prepared for this Internet doomsday. Some of these ISPs have been very successful with cleaning up machines of infected customers, often with help of the DNS Changer Working Group (DCWG). Trend Micro is one of the first industry partners of DCWG, and the only AV vendor acting as a main contributor during the investigation period before the Rove Digital suspects were arrested in 2011. Later, companies like Google and Facebook joined. On a scale never seen before, both companies showed warning messages to their users who were infected with the DNS Changer malware.
All the great work of DCWG helped to reduce the number of infections a lot, but the last 300,000 – 500,000 infected users somehow cannot be reached by Facebook, Google, and mainstream media around the world. This remains somewhat a mystery to me.
