Google will alert users to DNSChanger malware infection

Google is about to begin an ambitious project to notify some half a million people that their computers are infected with the DNSChanger malware.

The effort, scheduled to begin this afternoon, is designed to let those people know that their Internet connections will stop working on July 9, when temporary servers set up by the FBI to help DNSChanger victims are due to be disconnected.

"The warning will be at the top of the search results page for regular searches and image searches and news searches," Google security engineer Damian Menscher told CNET this morning. "The text will say, 'Your computer appears to be infected,' and it will give additional detail warning them that they may not be able to connect to the Internet in the future."

The malware, also known as "RSPlug," "Puper," and "Jahlav," was active until an FBI investigation called Ghost Click resulted in six arrests last November.

DNSChanger worked by pointing infected computers to rogue Domain Name System servers that could, for instance, direct someone trying to connect to BankOfAmerica.com to a scam Web site.

The way the alerts work is both simple and clever: When one of the replacement servers operated by ISC under court order talk to Google's servers, they reply with a special Internet Protocol address. Because connections to that IP address can safely be assumed to be from infected PCs, the alerts can be displayed in search results.

Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus updates from happening.

Google took similar steps last summer when it displayed security alerts to infected computers that were connecting through intermediary servers called proxies.