Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

The Day The Internet Will Break For Millions

DNSChanger Malware

The Day The Internet Will Break For Millions—A Looming Deadline in the Aftermath of ‘Operation Ghost Click

DNSChanger Malware

The Day The Internet Will Break For Millions—A Looming Deadline in the Aftermath of ‘Operation Ghost Click

Just two months ago, the Internet security community and international law enforcement scored a great victory on November 8, 2011, when news came out about Operation Ghost Click. This operation had just culminated in the arrest and extradition of several alleged Estonian cybercriminals who are charged with controlling an extensive network of infected computers via malware known as “DNSChanger” over several years, defrauding consumers out of tens of millions of dollars. The FBI, working in concert with NASA, the Estonian police, and several private sector firms and security researchers, orchestrated the complete takedown of the DNSChanger infrastructure. Concurrently, authorities took over the criminal network itself so that victim machines could be identified, cleaned, and repaired. It is estimated that this criminal malware infected more than four million computers since 2007.

Takedown just a start

However, the takedown represented only a partial victory. Millions of these machines remain infected and there is a very real “deadline” looming in another two months when a judicial order that is helping keep these infected computers working runs out.

DNSChanger MalwareTo understand this deadline it’s necessary to understand how DNSChanger alters the way infected machines resolve domain names. DNSChanger routes those infected machines’ DNS queries towards malicious servers run by the criminals instead of their normal recursive DNS servers. Take out those malicious servers, and the infected machines will have no DNS service; millions of people will suddenly be unable to use the Internet. So the FBI, in conjunction with industry partners, has erected temporary DNS servers to keep the Internet “working” for infected machines while cleanup efforts are undertaken. It is important to note that the replacement servers will not remove the DNSChanger malware—or other viruses it may have facilitated—from infected computers. About half of the original 120-day order for temporary servers has run out, and the cleanup efforts are seriously lagging. On March 7, 2012 when the deadline arrives, millions of people may not be able to reach their intended Internet destinations.

Out of sight, out of mind

Since the initial headlines, there seems to be little interest in the DNSChanger story, and many in the security community are concerned about the impact when the temporary servers are taken down. Certainly when millions of users lose their Internet connectivity simultaneously in early March it will be a different story, but in order to prevent that from happening, the time to act is now.

And there is also no excuse not to act. Many members of the security community know the IP addresses of all the infected machines out there, since they all reach out to the temporary servers for DNS resolutions constantly. Getting a hold of that information for a network that you run is free. Organizations like ShadowServer and Team Cymru are providing free lists of infected IPs to the relevant Internet service providers and network operators.  Some companies are providing free alerts to enterprise network operators and many other security companies are providing this information to their clients as well. A little bit of work today will solve some major customer service impacts in a couple months when “the Internet will break” for millions of computers around the world.

What is DNSChanger and what does it do?

DNSChanger Malware

DNSChanger is a deep-level rootkit malware (incorporating TDSS, also known as Alureon or TDL4) developed to divert traffic for clickjacking and to suppress normal Anti-Virus (A/V) updates. The malware reconfigures DNS settings on victims’ machines, both PC’s and Macs, as well as small office/home office routers, to use criminally run DNS servers. It also disables A/V and regular software updates on the infected machines, making them susceptible to attacks from other virus families. The goal of this malware was largely to monetize traffic from misdirected users, and in that it worked very well—to the tune of at least tens of millions of dollars, if not more. The software is also very well dug in to the operating system, making cleanup difficult—likely requiring sector-level re-imaging of the entire machine in order to be sure to get it all. The industry is still working on best common practices regarding remediation right now, and a website with the latest information is being built by the DNS Changer Working Group at While cleanup will be far from simple, certainly one of the key elements is to ensure that settings on affected machines for DNS resolution are reconfigured to use legitimate DNS servers instead of the criminal infrastructure servers.

Who is impacted?

DNSChanger has been spreading for well over five years, and is believed to be on over four million computers. Most of the millions of victims ironically thought they were downloading anti-spyware software and were victims of well-executed social engineering campaigns, so there is widespread damage. Victims have been susceptible to other virus attacks, as the DNSChanger malware has disabled their A/V. Once the FBI’s temporary DNS servers are shut down in a few months, un-repaired machines will not be able to reach Internet addresses.

A tool for determining if an individual’s machine is affected can be found on the FBI website. The FBI is also seeking to build an even bigger case against the miscreants by calling on all people and organizations who find that they have infected devices submit a victim report form here.

Get in the Game Today!

The time to act is now—both getting your infected machines cleaned up, and as an enterprise, locking down your recursive DNS infrastructure so the next version of DNSChanger doesn’t do even more damage.

Speaking of enterprises, while we’ve addressed DNSChanger’s threats and clean-up efforts, we have not fully talked about how you can prevent DNSChanger-type malware from impacting your network. Stay tuned for the second installment in our two part series on DNSChanger malware in the coming weeks for that side of the story.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...