• United States



Don’t forget to check for those DNSChanger infections

Jun 20, 20124 mins
CybercrimeData and Information Security

For months, we’ve been hearing about the prospect of countless users losing their Internet access because of DNSchanger infections. Since we’re less than a month away from the July 9 deadline, I thought we should take a walk through one of the main websites set up to help us find and remove infections.

First, a review of the problem, as written by CSO’s Taylor Armerding:

Another government safety net is going away July 9.

But this one has nothing to do with food stamps, welfare or Medicaid. These are safety net servers put in place last Nov. 8 after the FBI’s “Operation Ghost Click” shut down a hacker group operating under the company name “Rove Digital,” which had been running an Internet ad scam since 2007 using DNSChanger servers that hijacked about four million computers worldwide and at least 568,000 in the U.S.

The hackers made at least $14 million from the scam, and made the infected computers reliant on the rogue servers for their Internet browsing.

According to the FBI, if the agency had simply taken down the criminal infrastructure and confiscated the rogue servers, the victims would have been unable to get Internet service. So on the night of the raid, which led to the arrest of six Estonians, Paul Vixie, founder and chairman of Internet Systems Consortium, was hired to install two “clean” servers that took the place of the impounded ones.

Those servers were scheduled to shut down March 8, but a federal judge extended the deadline to July 9. FBI spokeswoman Jenny Shearer says the agency has been making efforts to reach those still infected by the scam, to point them to the website of the DNS Changer Working Group (DCWG), which offers detection, a fix and protection.

Now for that walkthrough.

DCWG website: The DNS Changer Working Group (DCWG) was created to help remediate Rove Digital’s malicious DNS servers. The DCWG helps monitor DNS servers run by ISC, under court order, in the former Rove Digital colo space. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release. This page is hosted at the Georgia Institute of Technology, under a research grant provided by the Office of Naval Research.

The homepage is very easy to navigate, with buttons to press when you want to check your machine, clean infections and better protect yourself for the future. There are also a steady stream of news updates. From the detection page:

How can you detect if your computer has been violated and infected with DNS Changer?

An industry wide team has developed easy “are you infected” web sites.  They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.

 For example, the will state if you are or are not infected (see below).

  • No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
  • No changes are performed on your computer! Nothing is changed on your computer when you use sites like
  • No scanning!  The “are you infected with DNS Changer” tool does not need to scan your computer.

There’s also a box listing several external sites for finding and cleaning infections. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.

Meanwhile, the FBI has a lot of easily digested resources on its site.

If I’m using the directions correctly, I’m in the clear. If I did it wrong, my absence from Twitter, Facebook etc. will be a pretty good tip-off.