Google has embarked on a final campaign to warn the remaining half million PCs it reckons could still be infected with the DNSChanger malware that they risk losing Internet connectivity on 9 July.
From this week, search users it detects redirecting to DNSChanger’s now substituted domains will be splashed the stark warning “Your computer appears to be infected” with an accompanying link offering remediation advice.
“While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices,” said Google's warning.
As many as half the users affected by DNSChange do not speak English and had not reacted to warnings already issued by the FBI and others, Google believed.
DNSChanger was the work of an Estonian criminal gang that recruited PCs into the bot without hindrance for several years until being busted by law enforcement Operation Ghost Click in November 2011.
Once infected PCs all browser visits were redirected through the gang’s own DNS servers, now kept alive by court direction simply to give infected users time to unhitch themselves from these machines.
Estimates on infection vary but it is believed that at its peak DNSChanger infected four million PCs, including sizable numbers inside large US companies. An original cut-off date of 8 March was extended to 9 July to allow more users to remove the malware.
Given the widespread warnings issued by numerous companies over several months, it is likely that a significant number of users will not react in time. Google’s latest campaign follows up on a similar one launched as long ago as last summer.
Advice on dealing with DNSChanger can be found from a number of sources but removing the redicrection might not be the end of a user’s troubles – in recent times DNSChanger infection was often accompanied by other forms of malware that will need to be dealt with separately.