DNSChanger to knock 350,000 users off Internet this July

DNSChanger to knock 350,000 users off Internet this July

Summary: The DNSChanger botnet is long dead, fixes for the malware have been around for months, but over 350,000 users still haven't fixed their computers or routers, so in July they'll be knocked off the Internet.


Every lousy day, here at ZDNet and all the other reputable technology news and opinions sites, we preach about basic computer security. Windows users are always the most vulnerable, but even Mac users can get hit as well. And, every lousy day, far too many people don't pay any heed to these warnings. Take the case of DNSChanger, which was fixed months ago but is still going to end up knocking hundreds of thousands of PCs off the Internet this July.

DNSChanger is a Windows and Mac Trojan that's been around since 2007. What it did was to cause Windows PCs and Macs to use rogue Domain Name System (DNS) servers. First, it changed your computer’s DNS server settings to replace your ISP’s good DNS servers with rogue DNS servers (PDF Link) operated by the criminal. Then, it tried to compromise your routers and home gateways. It did this by using the most default user names and passwords for small office/home office (SOHO) dynamic host configuration protocol (DHCP) servers. If successful, DNSChanger switched your router or gateway's default DNS servers to the rogue DNS servers. This in turn would make all the PCs on your LAN go to the corrupt DNS servers. This way a single infected system could compromise every PC on a network even if they didn't have an infection.

What happened then was that when you tried to go to a popular Website, like Amazon or iTunes, instead of seeing the content you'd expected, you'd see large advertisements or were rerouted to spam or malware sites. Adding insult to injury, DNSChanger also blocked access to anti-virus sites to prevent the removal of the malware.

Back in November, in Operation Ghost Click, the FBI shut down the botnet behind DNSChanger. In the meantime every major anti-virus company have updated their programs to find and smash DNSChanger. So, why in April, is is still a problem?

I'll tell you why, because out of the four-million or so people whose systems were infected with DNSChanger, 350,000 or so, slightly less than one in ten, still have it and still haven't fixed their computer or router's DNS settings. Argh!

You see after the FBI took down the botnet, it arranged to have the Internet Systems Consortium put up good DNS servers in place of the ones that were redirecting people into bad sites. This way those who had been infected would still be connected to the Internet. And, of course, so they could get fresh anti-virus software to clean up the bug and find out how to reset their DNS. Most people did. A lot of people didn't.

The FBI wants to shut down its servers for those who never bothered to clean up their systems. Originally the Feds were going to shut down the replacement servers in March, but last month a federal judge ordered an extension of the DNS services fix to July 9. This will give the clueless a few more months to give users, businesses and governments more time to deal with DNS Changer.

The clueless, by the way, aren't just individuals who never patch their computers and haven't updated their anti-virus software this decade. No, according to IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence,94 of all Fortune 500 companies and three out of 55 major government entities still had at least one computer or router that was infected with DNSChanger in March.

Is it any wonder that hardily a day goes by without news of yet another major Web site security breech?

To find out if you're infected, visit the DNS Changer Check-Up site, which checks your PC's DNS resolution without installing any software. If you do have a case, all modern, up-to-date anti-virus programs can remove DNSChanger.

After zapping it, you may still need to change your router's DNS settings if the bug got to it. To do this varies from router to router. Just follow your vendor's instructions. You can either choose to use your ISP's default DNS servers or, do like I do, and use the OpenDNS DNS servers, and, or Google's DNS servers, and8.8.4.4. Either tend to be faster than most ISP's DNS services.

Related Stories:

FBI shutters $14m major click-jacking fraud; 4 million computers affected

The malware numbers game: how many viruses are out there?

Kaspersky: Apple '10 years behind Microsoft in terms of security'

Huge Twitter spam campaign for fake antivirus discovered

Anonymous wants to take down the Great Firewall of China

Topics: Servers, Browser, Hardware, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So the government was REALLY doing them a favor? I doubt that.

    So the government knocks out the bad guys running the fake DNS servers. So out of the goodness of their hearts they just put "good" ones in place?

    I have several problems with this:
    1. If you didn't know that you were infected how will you find out if your internet experience is unchanged? Dead DNS servers would give even the most clueless users a chance to realize something is wrong and call in qualified help to fix it.

    2. What exactly does the government gain by providing this service? Any one that runs a DNS server can monitor who accesses it and what they are accessing. Call me paranoid but to me that implies that the government wants people to access their pwnd servers to track what is being accessed. How is this any better then the "real" crooks that sent out the virus to begin with?

    3. Most of the people forced into this situation don't have proper protection so for months they continued to be open to OTHER infections and angles of attack and this is prolonged by the government providing these "replacement" servers to begin with.

    4. This is NOT a good thing for the government to be doing and we are put at greater risk FROM the government because of their so called act of good will.

    Is is just me or does the air smell really bad now?
    • Smells bad man

      You know, I don't mean to sound like a cynical kook, but has anyone considered the FBI themselves might be blocking out these infected users because the afflicted computers are a threat to them? These hackers could be using the infected as a means of attack on the FBI.
    • Sorry, I disagree.

      "If you didn't know that you were infected how will you find out if your internet experience is unchanged?"

      More than 90% of people [b]did[/b] fix their systems. So yes, apparently they were notified somehow.

      "What exactly does the government gain by providing this service?"

      Taxpayer money. We give them money to do their job, and they do it.

      Of course, you can tinfoil this to death, I'm sure, but I see no reason to claim malicious intent here.

      Not to mention the service is getting shut down, which is [b]NOT[/b] in line with your claim that the government wants to track people with this. So this appears to be evidence against your claim, not for it.

      "Most of the people forced into this situation don't have proper protection so for months they continued to be open to OTHER infections and angles of attack and this is prolonged by the government providing these 'replacement' servers to begin with."

      350 thousand out of four million people fixed their systems. You need 50% to get "most," and this is closer to 9%.

      "This is NOT a good thing for the government to be doing and we are put at greater risk FROM the government because of their so called act of good will."

      I find your conclusion to be invalid, as it appears to be based on pure speculation and is not backed up by any of the evidence. There is no evidence of malicious intent in this case.
  • Informative

    Thanks for the advance notice. When that day comes, I think I will be able to fix machines easily.

    A bit of searching on the net and it seems this trojan won't infect your machine, unless if you're surfing the net with admin account or has installed some rogue games or applications which has this DNSChanger payload.
  • A little late, but better late than never

    My wife (completely non technical) told me about this one a couple days ago. Checked all of our machines and guess what, no problems.

    350K machines off the net. Maybe some sites will speed up a bit.
  • Should we be recommending Google DNS Servers?

    I used to use and recommend Google's DNS servers (and the Open DNS servers), but, given what I now know about Google and how it will use any and all information it obtains from people, I have to wonder if it's still a good idea to use the Google DNS servers.

    Specifically, is Google logging every site that people visit? Is is using all the other information it has about people in order to build highly detailed profiles of users? Example: Let's say you're logged into a Google account and also use the Google DNS servers. Is Google tracking every site you visit and using that information to help line its coffers?

    The bottom line is that I'll use Open DNS but not Google's DNS servers.
    • And what makes OpenDNS any better?

      Anyone that runs a DNS server can track who is using it and what sites they are requesting. Why do you think OpenDNS is somehow safe to use over Google? Running a DNS server is expensive and they like google have access to user data trends.

      From the Privacy Policy on OpenDNS website:

      "OpenDNS Service Usage Information

      OpenDNS runs a Domain Name System (DNS) service. DNS translates a domain name (e.g., http://www.example.com) into the corresponding numerical address (e.g., that allows your system to access the domain over the network. When you use OpenDNS services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our service, to provide you with OpenDNS services and for internal business and analysis purposes."

      • Running a DNS server is expensive?


        How did you reach such conclusion? One can run an reasonably performing public DNS server from their home, today. It does not require any significant processing power, either. Your desktop PC will do.
      • Reply to danbi below.


        So you are allowing thousand of people to use your home DNS sever? Somehow I doubt you have the bandwidth or CPU power to handle THAT kind of load.
  • Move & Up @@@@@@@@

    like Steven answered I'm startled that some one able to profit $6018 in a few weeks on the computer. have you read this website <b>http://tomakeusd.blogspot.in/<b>
  • Real and Imaginary - the difference

    On one hand we have threats like these and on the other hand we have CISPA.

    The difference between what is real and what is imagined is so stark that is not even funny. Its also a fact that the third world war would be most likely on the Internet and electronic front.

    And, MAC being 10 years behind Microsoft in virus prevention is now old news.

    We should stop being dependent on so many people on our privacy, security and knowledge. Online courses are available to help people. They range from courses on ethical hacking to computer security [like this one http://www.wiziq.com/course/3706-computer-security-and-ethical-hacking-training-by-ankit-fadia here] which help everyone come up to speed on the threats in the modern world. These are limited not just to computer but also Internet, mobile, ATM and more. Its a scary thought but needs to be tackled as soon as its possible.
  • I don't understand

    They have control of their DNS. I don't understand why they don't just forcibly make all DNS requests resolve to a site that tells them they are infected, and how to fix it.

    Am I missing something? It just seems so obvious.
    • it's obvious, and proper method

      This is what they should do as they shut them down. But some judge thought 350,000 unused computers or used by stupid people would grow IQ if they extended it for months. It doesn't.

      Chances are the vast majority, especially ones in big companies are old unused systems just sitting there. Every big company I've worked on had these types of "don't touch" systems 'cause somebody might still be using it. I know of a server running NT 3.5, still up and running in 2011--not sure if it survived to 2012. No plans to shut down. Nobody is using it, but management is afraid--of themselves.

      Just shut them down. Eventually, some month or year, someone might realize the system hasn't had DNS for a few years. Probably because it wasn't important to function, or hadn't been functioning in years.
    • Data collection

      FBI and many other law enforcement are at the stage when they learn things about Internet. This is a chance for them to have first hand information on what users around the world do etc.

      If they redirect the user right away to such a site, they won't see any of their other activity.
      • "If they redirect the user right away..."

        As another poster already asked, If this DNS spying is so useful to them, why would they turn off the DNS servers now? They could keep them opened forever. Its taxpayer money, it isn't like it costs them anything...
  • Use your ISP's DNS servers!!!

    This advice:

    "You can either choose to use your ISP???s default DNS servers or, do like I do, and use the OpenDNS DNS servers, and, or Google???s DNS servers, and8.8.4.4. Either tend to be faster than most ISP???s DNS services."

    Is wrong!

    If you cannot run your own, DNSSEC validating DNS resolver, then use your ISPs DNS servers. In that order.

    If you value your privacy and want to seen the real, unaltered Internet, do not even think of using any "public" DNS server. Especially Google's.

    Also, avoid using your router's DNS capability if possible. Most routers/gateways have broken DNS implementations. Many 'routers' won't let you bypass their captive portals, so you may wish to consider a different make/model.

    The DNS is now DNSSEC capable. If you run your own DNS resolver, that uses DNSSEC, best on your own computer, then no man in the middle can redirect you from any site that uses DNSSEC.

    Many large ISPs, for example Comcast in the US are offering DNSSEC enabled DNS services. Google's "public DNS" has had DNSSEC broken (not checked right now), perhaps because they don't want you to be able to tell whether they have modified the DNS (what you see from Internet) for you or not.
  • How about the rest of us?

    Are we really concerned about inconveniencing the owners of the 350,000 systems who can't be bothered to clean up and properly protect their computers? Or put another way just between 0.02-0.03% of the all Internet users. Is it really wise to support and perpetuate security incompetence? Does anyone believe these systems are secure from other attacks?