As many as 300,000 PCs and Macs will drop off the Internet in about 65 hours unless their owners heed last-minute calls to scrub their machines of malware.
According to a group of security experts formed to combat DNSChanger, between a 250,000 and 300,000 computers, perhaps many more, were still infected as of 2 July.
DNSChanger hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled real domains.
At one point, as many as 4 million PCs and Macs were infected with the malware, which earned its makers $14 million, US federal authorities have said.
Infected machines will lose their link to the Internet at 5am on Monday, 9 July, when replacement DNS servers go dark.
The servers, which have been maintained under a federal court order by Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open source software, were deployed last year after the FBI seized more than 100 command-and-control systems during the take-down of the hacker gang responsible for DNSChanger.
The FBI's Operation Ghost Click ended with arrests of six Estonian men - a seventh, a Russian, remains at large - the C&C seizures, and the substitution of the replacement servers. Without the substitutes, DNSChanger-infected systems would have been immediately knocked off the Internet.
Originally, the stand-in servers were to be turned off 8 March, but a federal judge extended the deadline to 9 July.
Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies - or 3.6% - also had failed to scrub all their PCs and Macs.
The newest numbers were down from earlier scans by IID. In March, for example, the company pegged the Fortune 500 DNSChanger infection rate at 19% and the government agency rate at 9%.
In January, both groups' rate was an amazing 50%.
But there are still tens of thousands of laggards who have not cleaned their computers, even after a months-long effort by the DNSChanger Working Group (DCWG), a volunteer organisation of security professionals and companies.
"We're all struggling with this," said Rod Rasmussen, chief technology officer of IID and a member of the DCWG. "There are a lot of people who just haven't gotten the word."
The cleanup, Rasmussen said, has been the tough part of the DNSChanger takedown.
"There was a lot of planning done for the initial takedown, the arrests, the swapping of servers, but there wasn't as much for after the take-down," said Rasmussen. "How do we clean things up? Victim remediation is a challenge for our industry. Everyone wants to do it, but how do you pay for it?"
The DCWG worked extensively with Internet service providers to help them alert customers with infected computers - identified by their being shuttled through the replacement servers - and advise them on removing the malware. The group also reached out to enterprises, government agencies and other organisations to offer the same assistance.
At times, that worked.
"Some ISPs have been very draconian," said Rasmussen, citing providers that repeatedly called, e-mailed or phoned members with infected computers. "Some worked hard at a fair amount of expense."
Others instead prepared for the support calls they expect to field starting Monday when startled customers realize they can't get online. "They're staffing up for [Monday], they know that they're going to get [a large number of calls]."
For those that have done nothing, Monday will be rough, Rasmussen predicted. "For some ISPs, this may be a real flap," he said.
Two of the Internet biggest companies have also pitched with their own anti-DNSChanger campaigns.
In late May, Google began warning infected users with a bannered message at the top of the company's search results page. Several days later, Facebook kicked off a similar alert for its members.
Users have access to several free tools that identify infected computers, including several that just debuted under the DCWG's auspices.
IDG News Service