You are hereBlogs / Joseph Kexel's blog / DNSChanger


By Joseph Kexel - Posted on 28 April 2012

The FBI is working to get the word out about the DNSChanger virus which has infected around 500,000 PCs throughout the US and up to 4 million worldwide. This particular virus has a specific goal in mind. It wishes to lead you to malicious DNS servers to the benefit of the hackers. The hackers set up advertising accounts and websites, then used the rogue DNS servers to manipulate your Internet activity to boost their advertising revenue and sales.

I will try to explain how this scheme works using a paradigm you are already aware of. The phone system is like the Internet in that all the phones are identified with numbers, much like PCs are given IP addresses. You can imagine a DNS server as an electronic phone book which will offer you the number for any unique name you request. Since the DNS server is not in your house, you need to put the IP address for your ISP's DNS servers into your computer, either manually or setting the system to request those addresses from your ISP upon connection.

Once you are infected, the virus overrides your DNS settings mentioned above. You will not have access to your ISP's DNS servers. Your system will be redirected to the rogue DNS servers. There is no real equivalent to the phone book analogy for this for you never have the phone book (DNS servers) in your possession. However, the closest thing would having people sneak into other people's homes and replacing the phone book with a fake.

So, normally you use the Internet assuming or will lead you to the appropriate sites. When you get the virus the hackers spread around, your DNS comes from the rogue servers, allowing their friend to have actually take you to their where you make an appointment. Pretty sneaky, right? To put in the phone book analogy, think that they are able to put Davids muffler's phone number in place of Johns muffler's phone number. That injures John for people seeking him cannot find him and benefits David for he is getting both his customers and John's.

The ad revenue scheme works a bit differently. Websites are willing to pay for other sites to help move traffic to their websites. When you do so by clicking a particular web link, they give the assisting site, for example, 10 cents for their effort. Hackers using DNSChanger can manipulate many people with infected PCs into clicking links found on servers they control. That activity triggers the 10 cent payment many times over, thus making millions of dollars for the hackers.

Now you understand the scam. The problem for you now is, if you are infected you may not know it. When the Feds turn off the servers they put up in place of the rogue servers they discovered, your Internet will go down and down HARD. You will, effectively, own a computer (phone) without DNS support (phone book). You will not even be able to call for help. The FBI has successfully ended the scam by putting up real DNS servers to replace the fake ones the virus points to, but they cannot keep them up indefinitely. The scheduled take down will be on July 9th, 2012.

You can find out, if you are going to have problems, by going to the following website:

It is pretty simple. If the background is Green, you are good. If it is Red, you need assistance in removing the virus. Check out your PC before July 9th and seek help ASAP.

The Feds are using the IP addresses of the rogue DNS servers on real DNS servers. The servers provided are used only by those PCs infected by the virus and point to the page with the Red background. The rest of the world's PCs use their regular DNS servers that point to the page with the Green background. It makes a slick tool to help people figure out their current status.

If your system turns out to be infected with DNSChanger, call Vikkex and we will assist you in getting your system cleaned up.

For more information, you may refer to the FBI original document.