Skip Links

DNSChanger Malware Set to Knock Thousands Off Internet on Monday

Here's how to find out if your computer is infected, and what to do if it is.

By Ian Paul, PC World
July 05, 2012 12:34 PM ET

PC World - Thousands of PCs worldwide may be unable to access the Internet beginning July 9 unless those machines are rid of the pernicious DNSChanger malware that first surfaced in 2007. The Federal Bureau of Investigation helped shut down the criminal ring responsible for DNSChanger in late 2011. The federal agency then briefly handled the Internet Domain Name System routing for all infected Mac and Windows systems.

Since early 2012, the Internet Systems Consortium, a nonprofit corporation, took over DNS routing responsibilities from the FBI. But that courtesy is coming to an end Monday, and if your computer is one of the thousands still infected, you need to fix your machine so you can keep getting online.

BACKGROUND: Facebook joins Google, ISPs in notifying DNSChanger victims

What did DNSChanger Do?

DNSChanger rerouted infected computers through servers controlled by a criminal ring based in Eastern Europe. The malware did this by taking advantage of the Internet's Domain Name System (DNS) service. Think of DNS servers like phone books for the Internet. These servers turn the plain text Web address that you enter into your browser, such as, into a string of numbers. These numbers are known as Internet Protocol addresses (PCWorld's is and computers use them to connect to one another and get around the Internet. IPs are assigned to home and business Internet connections and every website you visit.

It should be pretty clear that DNS is not something you want to have intercepted by criminals. Any time they want, criminals who control how your computer uses DNS can do malicious things such as reroute your computer to fraudulent websites. Once there, the sites can try to download more malware to your computer or attempt to harvest data such as login credentials.

DNS changing was only one of the malware's functions, according to the DNSChanger Working Group, a consortium of companies, universities and other institutions helping to deal with the impact of DNSChanger. The group says it's also possible DNSChanger could have also been capturing keystrokes (known as keylogging).

As of June 11, the group detected DNSChanger infections from more than 300,000 unique Internet Protocol Addresses worldwide. Nearly 70,000 of those unique IPs originated in the United States. An Internet Protocol address counts as one main connection to the Internet, but can include multiple PCs behind one IP.

How to Know if You're Infected

If your computer is infected with DNSChanger and you've recently visited Facebook or Google, then you've probably seen warnings about your system being infected with DNSChanger. Both services are posting notices to systems infected with DNSChanger and offering advice about what to do about the infection. Your Internet Service Provider may have also notified you about an infection.

Another way to find out if you're infected is to visit one of several detection websites set-up by the DNSChanger Working Group. These sites will not require you to download any extra software or scan your hard drive. If you are infected, the site will be able to immediately detect it and notify you.

Originally published on Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News