DNSChanger Malware Set to Knock Thousands Off Internet on Monday

Here's how to find out if your computer is infected, and what to do if it is.

Thousands of PCs worldwide may be unable to access the Internet beginning July 9 unless those machines are rid of the pernicious DNSChanger malware that first surfaced in 2007. The Federal Bureau of Investigation helped shut down the criminal ring responsible for DNSChanger in late 2011. The federal agency then briefly handled the Internet Domain Name System routing for all infected Mac and Windows systems.

Since early 2012, the Internet Systems Consortium, a nonprofit corporation, took over DNS routing responsibilities from the FBI. But that courtesy is coming to an end Monday, and if your computer is one of the thousands still infected, you need to fix your machine so you can keep getting online.

What did DNSChanger Do?

DNSChanger rerouted infected computers through servers controlled by a criminal ring based in Eastern Europe. The malware did this by taking advantage of the Internet's Domain Name System (DNS) service. Think of DNS servers like phone books for the Internet. These servers turn the plain text Web address that you enter into your browser, such as PCWorld.com, into a string of numbers. These numbers are known as Internet Protocol addresses (PCWorld's is and computers use them to connect to one another and get around the Internet. IPs are assigned to home and business Internet connections and every website you visit.

It should be pretty clear that DNS is not something you want to have intercepted by criminals. Any time they want, criminals who control how your computer uses DNS can do malicious things such as reroute your computer to fraudulent websites. Once there, the sites can try to download more malware to your computer or attempt to harvest data such as login credentials.

DNS changing was only one of the malware's functions, according to the DNSChanger Working Group, a consortium of companies, universities and other institutions helping to deal with the impact of DNSChanger. The group says it's also possible DNSChanger could have also been capturing keystrokes (known as keylogging).

As of June 11, the group detected DNSChanger infections from more than 300,000 unique Internet Protocol Addresses worldwide. Nearly 70,000 of those unique IPs originated in the United States. An Internet Protocol address counts as one main connection to the Internet, but can include multiple PCs behind one IP.

How to Know if You're Infected

If your computer is infected with DNSChanger and you've recently visited Facebook or Google, then you've probably seen warnings about your system being infected with DNSChanger. Both services are posting notices to systems infected with DNSChanger and offering advice about what to do about the infection. Your Internet Service Provider may have also notified you about an infection.

Another way to find out if you're infected is to visit one of several detection websites set-up by the DNSChanger Working Group. These sites will not require you to download any extra software or scan your hard drive. If you are infected, the site will be able to immediately detect it and notify you.

The bad news is that DNSChanger doesn't just go after PCs, but can also infect your router. That means you may visit a malware detection site from any PC in your home and all will register as being infected even though your router is really the culprit.

If you want to be absolutely sure your computer is clean, you can check your PC's DNS settings without relying on a third-party website. PCWorld's tutorial "Protect Yourself From DNSChanger" has detailed instructions on how to do this for PCs and Macs.

What to Do if You're Infected

If you've determined that your PC is running DNSChanger malware, there are several things you can do. The DNSChanger Working Group has a list of free removal tools from major computer security firms including Kaspersky, McAfee, MacScan, Symantec and Trend Micro, as well as a Microsoft tool.

Before you use any of these tools, you need to backup your personal files. The DNSChanger Working Group also suggests that infected users might be better off switching to a new PC if they were already thinking of upgrading their current system.

Another option, and perhaps the safest bet if you're sticking with your current PC, is to backup your files, reformat your hard drive and reinstall your OS. Check out PCWorld's guide to reinstalling Windows for more information.

If you determine that your router is infected, contact your Internet Service Provider for help.

DNSChanger may not be that widespread anymore (this year infections were detected at half of all Fortune 500 companies). But if you've got DNSChanger on your system, you have to deal with it this weekend before the Internet goes dark for you Monday.

Connect with Ian Paul (@ianpaul) on Twitter andGoogle+, and with Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts