Security firm Internet Identity has revealed that more than half of all Fortune 500 companies and major U.S. federal agencies are infected with malware called DNSChanger. The company discovered that as of early January a minimum of 250 Fortune 500 companies had one or more computer or router infected with the malware, as did 27 out of 55 federal agencies. On November 9th the FBI announced the arrest of six Estonian nationals in relation to DNSChanger, which was believed to have infected approximately four million computers globally — including 500,000 in the United States — and generated close to $14 million in illicit advertising money. According to the FBI, DNSChanger affected computers in two ways, both of which generated advertising revenue: click hijacking, in which users would click on a search result link and be re-routed to another site, producing per-click advertising payouts; as well as advertising replacement fraud, which would replace legitimate ads on a website with substitutes that would trigger payments.
During the arrests — known as Operation Ghost Click — the FBI seized a number of computer systems that were being used as rogue DNS servers. These weren't shut down but instead replaced with legitimate servers, however the legitimate servers were only a temporary solution put in place for 120 days, after which point the "internet may literally go dark" for the remaining infected computers, according to Internet Identity. There are reportedly still "millions" of PCs infected with the malware that could potentially go dark on March 8th if the FBI doesn't secure an extension for the replacement DNS servers.
A group called the DNS Changer Working Group — "an ad hoc group of subject matter experts" that consists of organizations like Georgia Tech, the University of Alabama at Birmingham, Trend Micro, Neustar, and more — is offering to identify infected IP addresses for free. The group's site offers tips on checking for DNSChanger on OSX, XP, Windows 7, and home routers, while larger organizations can email the group to see if any one of their network is infected.