Overview
DNSChanger is a Trojan virus that was distributed between 2007 and 2011. Masked as a video codec, the program modified the computer’s Domain Name System (DNS) configuration to send users to a rogue server which replaced normal advertising with advertising sold by Rove Digital[1], the Trojan’s distributor. In November 2011, the United States FBI seized the company’s servers, which are set to be turned off on July 9th, 2012. On July 2nd, 2012, the F-Secure Labs[2] estimated that 300,000 unique IP addresses were still registered on the servers, causing many sites to publish articles about a “DNSChanger Doomsday.”
Background
Forum posts about the DNSChanger virus began appearing as early as February 3rd, 2007 on the What the Tech?[3] forums. That year, more users posted threads with concern about the virus on the Search and Destroy forums[4], Wilders Security Forums[5] as well as articles on how to remove it appearing on blogs including Security Ticker[6], My Anti Spyware[7] and F-Secure.[8] The following year, in December 2008, a blog about the virus was posted on the Washington Post[9] and subsequently shared on Reddit[10] the following day.
Notable Development
In November 2011, members of the United States FBI arrested six Estonian nationals in Operation Ghost Click[22], dismantling Rove Digital after more than 4 million computers across the globe had been affected. Since Rove’s affected servers were seized, the FBI replaced them with legitimate servers in hopes that affected users would not have their service disrupted. The FBI servers redirected the rogue ones to the correct DNS for those users with the trojan still embedded in their computer.[18] Originally, these servers were meant to be turned off in March 2012, but due to 450,000 global computers still affected, the federal government granted an extension until Monday, July 9th, 2012.
Malware Detector
On July 4th, F-Secure released an estimate that at least 300,000 computers were still infected with the malware. Meanwhile, the FBI launched a website at DNS-ok.us computer users can check their infection status by green or red color backgrounds.
News Media Coverage
The FBI’s detector site and the warning quickly spread through the tech news blogosphere and online news sites, accompanied by sensational headlines suggesting there will be a massive internet blackout on July 9th. The intensive media coverage of a potential server outage came only days after temporary blackout of major sites and online services like Reddit and Netflix caused by Amazon’s data center outage and a technical bug known as the leap second glitch.
On Twitter
The hashtag #DNSChanger[11] has had an average of 30 tweets per hour[12] in July 2012.
Search Interest
External References
[1] Wikipedia – Rove Digital
[2] F-Secure – Should the FBI be reauthorized to continue DNSChanger servers?
[3] What the Tech – Trojan DNS changer.hg, cant get rid of it
[4] Search and Destroy Forums – Win32.DNSChanger
[5] Wilders Security Forums – Trojan Win32 Dns Changer .ik -hard to believe
[6] Security Ticker – OSX Has It’s Own Zlob DNSChanger OSX.RSPlug.A
[7] My Anti Spyware – How to remove trojan DNSChanger/DNS hijacker (Redirect Virus/Trojan Fix)
[8] F-Secure – Trojan:OSX/DNSChanger
[9] Washington Post – A Scary Twist in Malware Evil-ution
[10] Reddit – A Scary Twist in Malware Evil-ution: Beware of DNSChanger
[11] Twitter – Results for #dnschanger"
[12] Topsy – #DNSChanger
[13] PC Mag – DNSChanger Doomsday
[14]TPM Idea Lab – FBI’s Plan to Yank DNS Changer Servers Not ‘Doomsday,’ Here’s How To Stay Online
[15] Huffington Post – DNSChanger Malware May Knock Thousands Off Internet On July 9: How To Avoid It
[16]MSNBC – Last call to wipe DNSChanger before ‘Internet doomsday’
[17]FBI – DNSChanger Malware
[18] CNet – What the DNSChanger malware is -- and why you should care (FAQ)
[19] PC World – Protect Yourself From DNSChanger
[20] PC World – There Is No Excuse for Still Being Infected with DNSChanger
[21]TIME – DNSChanger: No, the Internet Isn’t Shutting Down on Monday
[22]FBI – DNS Malware: Is Your Computer Infected?
[23] Reuters – Virus could black out nearly 250,000 PCs
[24] Yahoo! News – Worldwide Internet Outage
[25] Tech Republic – Preparing for the DNSChanger Internet outage