Don’t Be a Victim of DNSChanger Before July 9

Following up on a post from my colleague Jim Walter some months ago about DNSChanger, it is now time to act!

For a more detailed description of the threat, check out Jim’s post and our Knowledge Center entry about detection and remediation of DNSChanger. Here is a brief recap: DNSChanger is malware that a gang of criminals use to redirect the computers of infected users to DNS servers run by the gang. To achieve this, the malware changes the DNS settings on the infected machine. And what’s worse: it also changes the settings on home routers with no or default passwords.

The DNS Changer Working Group (DCWG) has been working hard with ISPs worldwide to get as many victims as possible remediated before the rogue DNS servers are switched off on July 9 (which effectively means the loss of Internet connection for the victims), but there are still some hundreds of thousands machines affected. Data released by the DCWG show some 300,000 unique IP address as of June 11. Based on these figures, it’s hard to say how many victims there really are. Some may be dialing in with new IP addresses several times a day; in other cases it could be small business networks behind affected routers. DCWG has more data here.

Make sure you are not a victim, and spread the word to your friends. You can run a quick check by connecting to This is not fully foolproof, as some ISPs are rerouting the DNS queries for their infected customers; but at least this means you will still be able to access the Internet after July 9.

To really make sure you’re not a victim, check out our document detailing the threat and showing how to use a special version of our Stinger tool to detect and remediate an infected system.