DNSChanger

DNSChanger

Updated Nov 21, 2012 at 02:26AM EST by Brad.

Added Jul 06, 2012 at 06:14PM EDT by amanda b..

PROTIP: Press 'i' to view the image gallery, 'v' to view the video gallery, or 'r' to view a random entry.

This submission is currently being researched & evaluated!

You can help confirm this entry by contributing facts, media, and other evidence of notability and mutation.

Overview

DNSChanger is a Trojan virus that was distributed between 2007 and 2011. Masked as a video codec, the program modified the computer's Domain Name System (DNS) configuration to send users to a rogue server which replaced normal advertising with advertising sold by Rove Digital[1], the Trojan's distributor. In November 2011, the United States FBI seized the company's servers, which are set to be turned off on July 9th, 2012. On July 2nd, 2012, the F-Secure Labs[2] estimated that 300,000 unique IP addresses were still registered on the servers, leading many news sites and tech blogs to publish articles about a "DNSChanger Doomsday."

Background

Forum posts about the DNSChanger virus began appearing as early as February 3rd, 2007 on the What the Tech?[3] forums. That year, more users posted threads with concern about the virus on the Search and Destroy forums[4], Wilders Security Forums[5] as well as articles on how to remove it appearing on blogs including Security Ticker[6], My Anti Spyware[7] and F-Secure.[8] The following year, in December 2008, a blog about the virus was posted on the Washington Post[9] and subsequently shared on Reddit[10] the following day.

DNSChanger Mctims Observed per Day 850000 800000 750000 700000 650000 600000 t 550000 500000 450000 400000 Victim Population/Day Nov 05 Nov 19 Dec 03 Dec 17 Dec 31 Jan 14 Jan 28 2011 2011 2011 2011 2011 2012 2012 Date


In November 2011, members of the United States FBI arrested six Estonian nationals in Operation Ghost Click[22], dismantling Rove Digital after more than 4 million computers across the globe had been affected.

Notable Development

Since Rove's affected servers were seized, the FBI replaced them with legitimate servers in hopes that affected users would not have their service disrupted. The FBI servers redirected the rogue ones to the correct DNS for those users with the trojan still embedded in their computer.[18] Originally, these servers were meant to be turned off in March 2012, but due to 450,000 global computers still affected, the federal government granted an extension until Monday, July 9th, 2012.



DNS Changer Infections: 1/2012 to 3/2012

Malware Detector 

On July 4th, F-Secure released an estimate that at least 300,000 computers were still infected with the malware. As the deadline drew near, the FBI launched a website at DNS-ok.us where computer users can check their infection status by green or red color backgrounds. 


DNS Changer Check-Up IP DNS Resolution GREEN Your computer appears to be looking up IP addresses correctly! DNS Changer Check-Up IP DNS Resolution = RED Your computer is using the DNS Changer nameservers and is therefore probably infected

Major internet companies like Google and Facebook as well as U.S. Internet service providers (ISP) like Comcast, COX, Verizon, and AT&T also issued automatic notifications to users accessing through rogue DNS network.


+You Search Images Maps Play YouTube News Gmail More Sign in Your computer appears to be infected We believe that your computer is infected with malicious software. If you don't take action, you might not be able to connect to the Internet in the future. Google flowers Your computer or network might be infected Facebook has partnered with an alliance of public and private organizations to raise awareness about malware. Through that alliance we received information that your computer, home network, or office network may be at risk and infected with a type of malware called "DNSChanger For more information about DNSChanger malware, to see if your systems are infected, and to learn how to clean them, please visit the the DNSChanger Working Group website: http://www.dcwg.org/ and click on the 'Detect link. This type of malware, if left on your systems, will prevent you from accessing the Internet after July 9, 2012. This includes your access to all websites, email, and chat. Click here for more information Continue

News Media Coverage

The FBI's detector site and the warning quickly spread through the tech news blogosphere and online news sites, accompanied by sensational headlines suggesting there will be a massive internet blackout on July 9th. The intensive media coverage of a potential server outage came only days after temporary blackout of major sites and online services like Reddit and Netflix caused by Amazon's data center outage and a technical bug known as the leap second glitch.


DNSChanger shutdown: 5 doomsdays of internet past GigaOM- 6 hours ageo That's when the FBl will shut down temporary internet servers that it set up to help computers infe computers in the US and 300000 worldwide. (If you're not sure if one of those computers etect and fix a machine infected with DNSChanger CNET -15 hours ago The FBI will be closing the DNSChanger network on Monday, after which thousands worldwide ar On July 9, the FBI will close down a network of DNS servers that many people have been DNSChanger Deadline is Monday. Are You Ready? PC Magazine - Jul 6, 2012 By Fahmida Y. Rashid Come Monday, there will be some people who won't be able to get on the In According to the latest FBl estimates from July 5, approximately 64000 computers in the DNSChanger Doomsday PC Magazine - Jul 6, 2012 By John C. Dvorak The computer community has been fretting about a virus called DNSChanger behind the virus was to change your DNS pointer so your machine did DNS lookup on rogue How to Find, Remove DNSChanger From Your Router PC Magazine - Jul 6, 2012 By Samara Lynn For users who may looming threat of thousands of users unable to connect to the Internet come Monday is be infected with the DNSChanger malware, the computer or Stay Connected Monday, Check Your PC for DNSChanger Now Sci-Tech Today -10 hours ago By Jennifer LeClaire What is DNSChanger? Is my computer infected? Will I lose l asking this weekend amid warnings that thousands of ÄVIRUS: people will lose Internet acce Malware Monday looms, but can be averted MiamiHerald.c Tens of thousands of computers are still infected with a virus known as the DNSChanger Malware steps. BY ADAM H. BEASLEY Computer geeks and federal agents have a warning for the.. om - Jul 6, 2012 DNSChanger Malware Set to Knock Thousands Off Internet on Monday PCWorld - Jul 5, 2012 By lan Paul, PCWorld Jul 5, 2012 7:08 AM Thousands of PCs worldwide may be unable to access pernicious DNSChanger malware that first surfaced in 2007

On Twitter

The hashtag #DNSChanger[11] has had an average of 30 tweets per hour[12] in July 2012. 




Search Interest

External References

[1] Wikipedia – Rove Digital

[2] F-Secure – Should the FBI be reauthorized to continue DNSChanger servers?

[3] What the Tech – Trojan DNS changer.hg, cant get rid of it

[4] Search and Destroy Forums – Win32.DNSChanger

[5] Wilders Security Forums – Trojan Win32 Dns Changer .ik -hard to believe

[6] Security Ticker – OSX Has It's Own Zlob DNSChanger OSX.RSPlug.A

[7] My Anti Spyware – How to remove trojan DNSChanger/DNS hijacker (Redirect Virus/Trojan Fix)

[8] F-Secure – Trojan:OSX/DNSChanger

[9] Washington Post – A Scary Twist in Malware Evil-ution

[10] Reddit – A Scary Twist in Malware Evil-ution: Beware of DNSChanger

[11] Twitter – Results for #dnschanger"

[12] Topsy – #DNSChanger

[13] PC Mag – DNSChanger Doomsday

[14] TPM Idea Lab – FBI's Plan to Yank DNS Changer Servers Not 'Doomsday,' Here's How To Stay Online

[15] Huffington Post – DNSChanger Malware May Knock Thousands Off Internet On July 9: How To Avoid It

[16] MSNBC – Last call to wipe DNSChanger before 'Internet doomsday'

[17] FBI – DNSChanger Malware

[18] CNet – What the DNSChanger malware is -- and why you should care (FAQ)

[19] PC World – Protect Yourself From DNSChanger

[20] PC World – There Is No Excuse for Still Being Infected with DNSChanger

[21] TIME – DNSChanger: No, the Internet Isn’t Shutting Down on Monday

[22] FBI – DNS Malware: Is Your Computer Infected?

[23] Reuters – Virus could black out nearly 250,000 PCs

[24] Yahoo! News – Worldwide Internet Outage

[25] Tech Republic – Preparing for the DNSChanger Internet outage

Recent Videos

There are no videos currently available.

Recent Images 10 total


Top Comments


+ Add a Comment

Comments (42)


Display Comments

Add a Comment


Hey! You must login or signup first!