Several security experts and media reports predicted that Monday, July 9, would be remembered as the day millions lost their Internet connections — and possibly their livelihoods. Those concerns did not play out.
At 12:01 a.m. Eastern Time on Monday, the Federal Bureau of Investigation pulled the plug on servers that had been communicating with personal computers infected with a particularly thorny piece of malware. The malware, called DNSChanger, reconfigured the computers’ settings for the Domain Name System, or DNS, which functions as the switchboard for the Internet. The DNS translates user-friendly Web addresses like fbi.gov into numerical addresses that allow computers to speak to each other. Without DNS servers operated by Internet service providers, the Internet could not operate.
For four years, criminals based in Eastern Europe used the malware to tell computers to use the criminals’ own DNS servers and redirect Internet users to fraudulent advertising sites, in a scheme that federal officials say generated $14 million.
Last November, officials traced the scheme to six men in Estonia and one man in Russia; the former were arrested, and the latter remains at large. But by that point, officials said, DNSChanger had infected four million computers, including 500,000 in the United States. The malware was so stealthy that it was impossible for users to know if they had been infected.
As part of a federal court order, the F.B.I. arranged for a private company to swap the rogue DNS servers with legitimate servers to keep millions of infected users connected to the Internet. It also worked with Google, Facebook and major Internet service providers on a public awareness campaign to notify infected users that their systems had been compromised. As part of that push, a DNS Changer Working Group was formed to manage a Web site that let users check if their computers were infected and linked to sites that could help clean their systems.
But the federal court order keeping those legitimate servers running expired at midnight on Sunday, which left many security firms and the media forecasting a Y2K-like Internet blackout.
That never happened. By Monday afternoon, Internet service providers had yet to release the number of affected systems. But the final tally is likely to be nowhere near Internet Armageddon, partly because Internet service providers, like AT&T and Verizon, temporarily substituted their own DNS servers for those set up by the F.B.I. AT&T plans to keep its servers running through the end of the year. Verizon will keep its servers running through the end of July.