Malware deadline passes, very few knocked offline - DC Breaking Local News Weather Sports FOX 5 WTTG

If you're reading this online, you're fine. The day that was supposed to see thousands of people knocked off the Internet has arrived, but only a few people were affected.

Thousands of Internet users across the U.S. and beyond waited too long or simply didn't believe warnings that they would lose access to the Internet just after midnight because of malware that took over computers around the world more than a year ago.

At 12:01 a.m. on Monday, the FBI turned off Internet servers that were functioning as a temporary safety net to keep infected computers online for the past eight months. A court order the agency had gotten to keep the servers running expired, and was not renewed.

FBI officials have been tracking the number of computers they believe still may be infected by the malware. As of Sunday night, there were about 41,800 in the U.S., down from 45,600 on July 4. Worldwide, the total is roughly 211,000 infected. An estimated 2.3 billion people around the world use the Internet, according to Internet World Stats.

Considering that there are millions of Internet users across the country, several thousand losing access isn't a big deal -- unless you are one of them.

As the deadline approached, Internet service providers such as AT&T Inc. and Time Warner Cable Inc. set up their own safety nets to allow the affected computers to continue to access the Internet.

AT&T said only a "small percentage" of its customers were affected by the virus. To make sure they can continue to access the Internet, the company will maintain legitimate Internet servers for them through the end of the year.

This, said spokesman Mark Siegel, gives people "adequate time" to remove the virus from their computers and avoid service interruption.

Time Warner Cable would not say how many of its customers were affected by the virus, but spokesman Justin Venech said the company also set up its own servers to ensure they can get online. Time Warner has no specific deadline, but the company will notify people who are affected so they can fix their computers.

Verizon Communications Inc. said it will "continue to provide extended support to our customers during the month of July - while continuing to instruct them on the necessary actions they must take to resolve the issue on their computers."

The company added that it has notified affected customers "using a variety of methods, including email, phone calls, and postal mail correspondence."

In South Korea, there were no reports from affected computers Monday. As many as 80 computers there are believed to be infected with the malware that may cause problems in Web surfing, down from 1,798 computers in February, according to the government.

"The impact will be limited," said Lee Sang-hun, head of network security at the Korea Communications Commission, a government body. The government and private broadband providers opened helplines and issued warnings. They also asked users to check if their computers were infected and to download antivirus software. South Korea is one of the most wired countries in the world, with more than 90 percent of households connected to broadband Internet.

The problem began when international hackers ran an online advertising scam to take control of more than 570,000 infected computers around the world. When the FBI went in to take down the hackers late last year, agents realized that if they turned off the malicious servers being used to control the computers, all the victims would lose their Internet service.

In a highly unusual move, the FBI set up the safety net. They brought in a private company to install two clean Internet servers to take over for the malicious servers so that people would not suddenly lose their Internet.

And they arranged for a private company to run a website, http://www.dcwg.org, to help computer users determine whether their computer was infected and find links to other computer security business sites where they could find fixes for the problem.

From the onset, most victims didn't even know their computers had been infected, although the malicious software probably slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Efforts to solve the issue have been hindered a bit by a few factors: Many computer users don't fully understand how their computers work. The cyber world of viruses, malware, bank fraud and Internet scams is often distant and confusing, and warning messages may go unseen or unheeded.

And other people simply don't trust the government, and believe that federal authorities are only trying to spy on them, or take over the Internet, by pushing solutions to the infection. Blogs and other Internet forums are riddled with postings warning of the government using the malware as a ploy to breach American citizens' computers -- a charge the FBI and other security experts familiar with the malware quickly denounced as ridiculous.

There is an underlying sense that this has been much ado about nothing -- like the hoopla over Y2K, when the transition to the year 2000 presented technical problems and fears that some computers would stop working because they were not set up for the date change. In the end, as in this case, there were very few problems.

Rep. Jim Langevin, D-R.I., who co-founded the cybersecurity caucus in Congress, said computer users have a responsibility to practice good hygiene and make sure their computers have not been infected or hijacked by criminals.

"These types of issues are only going to increase as our society relies more and more on the Internet, so it is a reminder that everyone can do their part," he said.

Chester Wisniewski, senior security adviser at computer security firm Sophos, said it would have been better to turn off the safety net earlier, so that people can clean up their computers.

"There is only so much responsibility the American government has to continue to run this stuff," he said. "If you still have this virus it's likely that you have others."

Online:

Site to test computer settings: http://www.dns-ok.us
Consortium on DNSChanger: http://www.dcwg.org

------

By LOLITA C. BALDOR and BARBARA ORTUTAY Associated Press

Ortutay reported from New York. Associated Press Technology Writer Youkyung Lee in Seoul, South Korea, contributed to this report.

By ANICK JESDANUN AP Technology Writer

On Monday, the FBI turned off servers that had allowed thousands of malware-stricken computers to continue using the Internet. The personal computers -- both Windows PCs and Macs -- are corrupted by a virus known as DNSChanger. Without the servers, the machines wouldn't know how to locate websites and send email.

Q. What happened?

A. Years ago, scammers managed to trick millions of people into installing the DNSChanger software, which changed certain computer settings. With the change, your computer went to a rogue server rather than a legitimate one at your company or Internet service provider. From there, the scammers were able to send you to websites containing rogue ads from which they profited.

Q. How were the servers supposed to function?

A. Databases known as domain name servers translate Internet addresses such as "ap.org" into a series of numbers your computer needs to locate other Internet-connected machines. Think of it as the Internet's version of directory assistance for telephone numbers. If you need the number for Acme's Flowers, you call "411" to ask for it.

Q. How did the scam work?

A. In the simplest terms, think of it as "411" calls that were rerouted to a directory-assistance service operated by the scammers. You call it to ask for Acme's Flowers, but the service gives you the number for a flower shop run by the mob. The shop still fulfills the order, so you don't suspect anything, but it might use stolen flowers and baskets.

According to federal authorities, there were variations on how the scammers profited.

In some cases, only the ads were changed. For example, authorities say, people who went to ESPN's website saw an ad for a timeshare business rather than the Dr. Pepper ad that was supposed to be there. In such cases, those people were still going to ESPN's website. Normally, your computer would grab the ad displayed on ESPN from a separate, legitimate ad-placement company. Authorities say the affected computers were tricked into grabbing the scammers' ad instead.

In other cases, authorities say, people searching through Google or Yahoo were sent to a fake search engine. They got search results that looked like Google's or Yahoo's but contained links to unauthorized sites. For example, people trying to reach the IRS site instead got H&R Block's, without the tax preparer's knowledge. Authorities say scammers got payments for referrals.

The FBI said the scam netted at least $14 million.

Q. If this has been going on for years, why did it become a problem Monday?

A. Authorities busted the ring in November and arrested six suspects. The rogue databases were replaced with legitimate ones, but they were always meant to be temporary and did nothing to change the settings on individual computers. In other words, the troubled computers were still looking for databases at the rogue locations, but legitimate databases were set up at those rogue locations.

Those databases were turned off Monday with the expiration of a court order, so infected computers are now looking for databases that don't exist. Without the information, computers don't know where to find websites.

Continuing the phone analogy, the "411" calls during the transition period didn't go to the usual directory-assistance service but one operated on behalf of the FBI. You'd get the correct Acme's Flowers, not the mob operation. Since the temporary service shut down Monday, "411" calls essentially go to a disconnected line.

Q. Are the infected computers now offline?

A. Not really. If your computer is corrupted, you can still reach websites if you know their numeric Internet address. But chances are, you don't. So you are effectively offline. Imagine if all your contacts in your cellphone got wiped out. How many people would you be able to call?

In addition, some service providers are redirecting traffic on the back end so that they still reach legitimate databases.

Q. How many computers are affected?

A. At the time of the arrests in November, the FBI said about 4 million computers had the rogue settings, including about 500,000 in the U.S. Some were home computers, while others were on employees' desks at major businesses and government agencies, including NASA. Many of the computers had been fixed since then, with the settings restored to reach normal, permanent databases. As of late Sunday, just before the temporary databases were turned off, the FBI believes about 211,000 were still affected worldwide, including 41,800 in the U.S.

Q. What has been done to fix the computers infected with DNSChanger?

A. For months, the FBI and private companies have been sending general warnings about the deadline. Some Internet service providers and the social-networking service Facebook Inc. also have been directly notifying people they believe still have infected computers. Some Facebook users, for instance, got a message on their screen warning them that access to websites, emails and chat would end Monday if they didn't correct the problem. They were given a website with more information on detecting and fixing the problem.

Nonetheless, many computers remained infected. Many users didn't understand what was going on, let alone how to fix the problem. And some thought the warnings themselves were scams, or at least an effort by the government to spy on them.

Q. What happens if my computer is still infected?

A. Several security companies have free tools to scan your computer and remove this and other threats. Chances are if you are reading this on the Internet after Monday, your computer is OK. You can go to http://www.dns-ok.us to make sure. Even if your computer is clean, it's a good idea to have it scanned regularly or install security software that does it automatically on a regular basis. More details on fixing your computer can be found here: http://www.dcwg.org/fix.