Google plans today to begin warning Internet users if their computers show telltale signs of being infected with the DNSChanger Trojan. The company estimates that more than 500,000 systems remain infected with the malware, despite a looming deadline that threatens to quarantine the sick computers from the rest of the Internet.
Security experts won court approval last year to seize control of the infrastucture that powered the search-hijacking Trojan in a bid to help users clean up infections. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012.
The company said the warning (pictured above) will appear only when a user with an infected system visits a Google search results property (google.com, google.co.uk, etc.), and will include the message, “Your computer appears to be infected.” Google security engineer Damian Menscher said the company expects to notify approximately a half-million users in the first week of the notices.
“In general we want to notify users [of malware infections] anytime we are capable of doing so, but the fact that we don’t do this more often is really just because it’s hard to come across cases where we can do it this accurately,” Menscher said. “In many cases we only have maybe a 90 percent confidence that someone is infected, and the false positive rate of 10 percent is simply too high to be feasible. But in this case we can be essentially certain that someone is infected.”
The warning that infected users will see is nearly identical to a similar alert Google used last year in a campaign to rid the Web of another search hijacker that was trying to frighten users into purchasing bogus antivirus software — also known as “scareware.”
DNSChanger may no longer be hijacking search results, but the malware still carries secondary threats and risks. It was frequently bundled with other nasty software, and consequently machines sickened with DNSChanger also probably host other malware infestations. Additionally, DNSChanger disables antivirus protection on host machines, further exposing them to online threats.
To address these concerns, Google is steering users of infected systems to a set of instructions that include steps to eradicate DNSChanger and to third-party cleanup tools that may help scrub infections from other malware.
Menscher said Google will be displaying the warning in dozens of different languages.
“We think part of it is that all of the public press on this so far has been in English or a handful of other languages,” Menscher said. “It turns out that only half of these infected users speak English as their primary language.”
DNSChanger modifies settings on a host PC that tell the computer how to find Web sites on the Internet, hijacking victims’ search results and preventing them from visiting security sites that might help detect and scrub the infections. The Internet servers that were used to control infected PCs were located in the United States, and in coordination with the arrest last November of the Estonian men thought to be responsible for operating the Trojan network, a New York district court ordered a private U.S. company to assume control over those servers.
The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down. The court agreed, and ordered that the surrogate control servers remain in operation until March 8. When the March 8 deadline approached and cleanup was discovered to be taking longer than expected, the court agreed to extend the cutoff date to July 9, 2012.