FBI Warns Thousands With Infected Computers May Lose Internet Access on July 9, 2012 – Facts Analysis

Picture: FBI Warns Thousands With Infected Computers May Lose Internet Access on July 9, 2012
FBI Warns Thousands With Infected Computers May Lose Internet Access on July 9, 2012


FBI Warns Millions With Infected Computers May Lose Internet Access on July 9th, 2012.
FBI warns of DNSChanger malware that could permanently prevent Internet access.
Protect Yourself From DNSChanger.


The warning message is a fact. The message from FBI warns millions of computer users around the world to have been attacked by DNSChanger, and they may lose complete access to internet on July 9, 2012.

DNS stands for Domain Name System, which is a standard internet service that converts user-friendly domain names like www.hoaxorfact.com into numerical addresses, thereby allowing the computers to talk to each other. DNS connects your computer to the DNS servers operated by internet service providers. Therefore, without DNS and DNS servers, you will not be able to use any internet services.

What is DNSChanger

DNSChanger is a malware started by cyber criminals in 2007, which has infected millions of computers across the world. This malware in user’s computer allows the criminals to control the DNS servers of your internet providers. As a result of this, the criminals have forced unsuspecting computer users to fraudulent websites, interfering with their web browsing and also making their computers vulnerable to other types of malicious software.

DNS Malware (Photo Credit: FBI)
DNS Malware (Photo Credit: FBI)

How DNSChanger Infects Your Computer

DNSChanger malware usually comes as a small file (about 1.5 kilobytes) which is designed to change the user’s ‘NameServer’ Registry key value to a custom IP address. This custom IP address is generally encrypted in the body of the trojan. When a user’s computer is infected with DNSChanger, it will contact the newly assigned DNS server and resolve names of different webservers. Further, this malware attempts to access other devices on victim’s small office/home office (SOHO) network(like router or home gateway) using common default usernames and passwords and, if successful, can impact all computers on the SOHO network. This is how criminals can change good DNS servers with bad DNS servers operated by them, and mislead users to fraudulent websites and other malicious activities.

The Internet Systems Consortium (ISC) have deployed and maintained temporary clean DNS servers for victims of DNSChanger malware to clean their affected computers, remove DNSChanger and restore their normal DNS settings. These clean DNS servers will be turned off on July 9, 2012, and so the computers which are still impacted by DNSChanger may lose Internet access at that time.

How to Check if Your Computer is Infected

To check if your computer is infected with DNSChanger malware, you need to check if your DNS server settings have been changed to a bad server. If your computer is connected to a wireless access point or a router, settings on those devices should also be checked.

If you are using a Windows computer, open command prompt and enter

ipconfig /all

Search for the entry that reads “DNS Servers………”
The numbers corresponding to this line and the line(s) below it are the IP addresses for your DNS servers. These numbers will be in the format of nnn.nnn.nnn.nnn, where nnn is a number in the range of 0 to 255. Make a note of them, and go to the official website of FBI  to check if your computer is using a bad DNS.

Picture about DNS Malware: How to Check if Your Computer is Infected
DNS Malware: How to Check if Your Computer is Infected

If you are using an Apple computer, click on the Apple icon on the top left corner and go to System Preferences. From the Apple System Preferences window, select Network to view a number of possible connections on the left side. Choose your active network and click on the Advanced button in the lower right corner. Then select DNS from the options to check your DNS servers.

Picture about DNS Malware: How to Check if Your Computer is Infected
DNS Malware: How to Check if Your Computer is Infected

If your computer is on a network, you should check DNS settings of your routers and other devices of your SOHO network. You should refer to the product documentation of the manufacturer to know how to find DNS server details.

What to Do if Infected

If your computer is infected with DNSChanger, the FBI website will warn you with the below message, when you check your DNS server.

Your IP corresponds to a known rogue DNS server, and your computer may be infected, please consult a computer professional.

If your computer is infected with this malware, it is a serious issue and you need to do some intensive work to remove DNSChanger and get rid of it. The easiest and safest solution is to back up your important data, reformat your hard drives, and then reinstall the operating system. Instead, you can try removing the DNSChanger with a good malware removal utility such as Kaspersky Labs’ TDSSKiller .

If your infected computer is on a network with a hacked router, you should reset it and confirm that all network settings are restored to the manufacturer’s defaults. For instructions how to reset your router, follow manufacturer’s guidelines.

When you are done with all that, you should verify that your computer is no longer infected with DNSChanger. Once this malware DNSChanger is eliminated, you will not be affected when FBI shuts down the ISC’s temporary DNS servers on July 9th, 2012, and you will not lose internet access.

Note: If you are not comfortable with any of the above mentioned procedures, it is advised to consult a computer professional.

Hoax or Fact:



DNS changer malware: how to detect it and protect yourself
How to recover from a malware/trojan

Like it? Share with your friends!

Prashanth Damarla