Notifying users affected by the DNSChanger malware

Tuesday, May 22, 2012 12:00 PM



Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, we’ve replicated this method and have started showing warnings via a special message that will appear at the top of the Google search results page for users with affected devices.


The Domain Name System (DNS) translates familiar web address names like google.com into a numerical address that computers use to send traffic to the right place. The DNSChanger malware modifies DNS settings to use malicious servers that point users to fake sites and other harmful locations. DNSChanger attempts to modify the settings on home routers as well, meaning other computers and mobile devices may also be affected.

Since the FBI and Estonian law enforcement arrested a group of people and transferred control of the rogue DNS servers to the Internet Systems Consortium in November 2011, various ISPs and other groups have attempted to alert victims. However, many of these campaigns have had limited success because they could not target the affected users, or did not appear in the user’s preferred language (only half the affected users speak English as their primary language). At the current disinfection rate hundreds of thousands of devices will still be infected when the court order expires on July 9th and the replacement DNS servers are shut down. At that time, any remaining infected machines may experience slowdowns or completely lose Internet access.

Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

15 comments:

BobintheNOC said...

Obviously, I'll be googling more on dnschanger malware, but any particularly recommended readings that can help us dns and corp admins in identifying infected internal machine? Is there a published list of known proxies that we can search our connectivity logs for?

Leandrew Emery said...

Here is the link to the FBI's site about this issue.

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

dpeprah said...

Well I am positive my routers are infected since i have checked over and over and reconfigured all the office routers several times and still get the error messages when pcs try to connect to them. How do i rectify this? HELP!!!!!!

lemon said...

I have the same questions, any one give me the answers?

toddmorison10 said...

dpeprah, may I suggest signing up with OpenDNS? They are great in protecting my network from DNS attacks. http://www.opendns.com/

According dcw.org -- If you think you have been affected by this malware, you do need to fix your computer.  The malware tool kits used that change your computer’s DNS settings are very pervasive.  Initially, the only way researchers could ensure that a machine was fixed was to reformat the hard drive and reinstall the operating system from scratch.

I hope this isn't necessary in your case.

http://www.dcwg.org/fix/

Geoffrey said...

OpenDNS is itself arguably an attack -- they document that they redirect all Google traffic to themselves. They also block a host of morally-objectionable sites by default, etc.

Wireless.Phil said...

Geoffrey, that depends on how YOU set-it-up.
I use Open DNS and I don't have it block anything morally-objectionable.

eingriff said...

The sites to which I am referred to check for DNSChanger indicate that I am "probably" or "most probably" not affected.
I really don't find this very reassuring, but feel incapable of obtaining any greater assurance, so I'm bugging off.

Child Fund Shop Online said...

Yes, thanks for this useful information!

Dewiq said...

DNS Google , Here is the link to the FBI's site about this issue.

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

Isi Hati said...

where i can edit my dns code on my ipad?

Chuck Chipner said...

Thanks for posting this! I like that my internet service provider will notify me of big things like this. Having an internet service provider that looks out for me is something I really appreciate.

Jonathan Park said...

Does this affect the internet speed? I'm worried that there is something wrong with the network cabling. I've tried resetting my router several times and changing the password regularly but it's not the same anymore. What do I do?

James Dnob said...

We came across a few possible infected routers while setting up remote viewing online. What are the symptoms?

MG Projekt said...

I think it was very responsible, and buils possitive company image. Great initiative, and thans of course :)

Regadrs
MG