DNSChanger Shutting Down Internet Service

Jon Norwood gives a practical guide to the DNSchanger malware and what will happen when its servers are shut down on July 9th.

Image: CC-AT-NC-SA Flickr: username (Full Name)

If you are a Windows or Mac user then it is important that you thoroughly check your computer for malware before July 9, 2012. The FBI claims that a particular form of malware called DNSChanger is infecting millions of computers in hundreds of countries. This particular form of malware allowed a group of hackers to control the advertising that appeared in browsers on infected computers. Although it is often times impossible to assess the true extent of a particular type of malware's penetration in any given Internet market segment, DNSChanger is much easier to track. How this is will become clear.

DNSChanger specifically targets Mac and Windows systems by manipulating Domain Name Servers on infected computers. So what is a Domain Name Server? These internet servers are often referred to as DNS servers and their purpose is to translate domain names into IP addresses. For example, if you type in www.bing.com it would appear is if you are going directly to the search engine. Fact is the only reason you can find bing.com is because your Internet service provider has DNS servers that see your request, retrieve the actual IP address for the domain you've typed, and then point you in the right direction. The Internet is based on an architecture that's referred to as TCP/IP or transmission control protocol/Internet protocol. In fact, you don't really need domain name servers if you can remember the IP address for whatever site you want to go to. The Internet certainly wouldn't have the appeal that it does now if you had to type in instead of www.bing.com. It is important to add that e-mail also requires a DNS server.

A computer infected with DNSChanger is directed to use a specific group of DNS servers that were under the control of hackers. These fraudulent servers could manipulate users DNS requests to send them anywhere. This group was sophisticated enough to use sleight-of-hand as opposed to sending users to obviously erroneous areas. Web advertisements were fed to users carefully and this led to millions of dollars of revenue for the criminals.

As mentioned above the servers were under the control of criminals; however the FBI has since seized control of them. With the help of Estonian law enforcement the FBI tracked down the six Estonian nationals that were perpetrating the crime. After thorough investigation the FBI chose to leave the fraudulent DNS servers in use due to the fact that so many computers were already infected with DNSChanger. If these fraudulent servers were turned off today anyone infected with DNSChanger would no longer be able to reach a webpage using a domain name or use email. Of course the FBI shut down the erroneous advertisements so the domain name servers that infected computers are using are actually doing the right thing for now. It is hoped that the continued management of the servers will give users sufficient time to clean up their systems. Due to the costs associated with maintaining the servers they will be shut down on July 9, 2012.

So if you are infected with DNSChanger your access to the Internet will continue as it is now and your Internet Provider  will certainly be uninterrupted. However any service that you are using that depends on DNS servers, meaning web browsing or e-mail, will no longer function beyond July 9, 2012. Even though you will stay connected to the Internet you will be severely limited in what you can do.

So the big question becomes how can you tell if you are infected with this malware? If you have access to an inexpensive computer professional that's always the first choice, of course if you need to check it yourself it can be done. For the Windows operating systems do the following:

1.  Open the start menu and do a program search for cmd.exe. This will open the command prompt.

2.  From the command prompt type ipconfig /all

Look specifically for the entry that reads "DNS servers". There should be two lines of numbers listed that looks something like Please understand that number is most likely not your DNS number unless you are a Time Warner user. These numbers are used only as an example to show you what the numbers look like. Once you find your DNS server IP's write them down. Check to see if your numbers match any of the following:

•    through

•    through

•    through

•    through

•    through

•    through

If your computer is currently using any of the above DNS servers then it is likely you are infected with DNSChanger.  For more information on how to remove DNSChanger please visit https://www.us-cert.gov/reading_room/trojan-recovery.pdf.  It must be stressed, if you do not feel comfortable as a computer technician it is always a good idea to get a pro to do the work.


Jon Norwood is a regular contributor at: http://www.webexordium.com

Share this article

Google+ Delicious Digg Facebook Google LinkedIn StumbleUpon Twitter Reddit Newsvine E-mail


Comments (0)

This thread has been closed from taking new comments.

By Jon Norwood on May 29, 2012

Featured Article

Schmidt Happens

Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.

ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views

People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.

ORG Events