Now nearly five years old, DNSChanger still infects hundreds of thousands of computers. Read our FAQ to learn what this malware is, and how to stop it.
This graphic shows how the DNSChanger malware worked.
The DNSChanger malware has been around for years, but its deleterious effects are coming to a head this Monday, when the FBI shuts down its servers in the US. Here's what you have to know about it, and how to fix it.
What is DNSChanger?
DNSChanger is a trojan horse malware with many variants. It changes an infected computer's DNS settings to point to rogue, bad-guy-controlled servers. These then show you ads that look real, but aren't. Basically, it redirects your legitimate web surfing to malicious websites that then attempt to steal personal information and generate illegitimate ad revenue.
How much money did DNSChanger make?
From the time it was discovered around 2007, until six Estonian scammers were caught in November 2011, DNSChanger scored them upwards of US$14 million, reportedly.
What does DNSChanger do?
DNSChanger changes your Domain Name System settings without your permission. This is bad, because DNS is basically the internet's phone book crossed with a map. DNS links a URL, such as CNET.com, to an IP address. (An IPv4 address would be something like 184.108.40.206, while an IPv6 address would look like 1050:0:0:0:5:600:300c:326b.) DNSChanger changes that, and redirects search results and URLs to malicious sites that are designed to either serve you ads to malicious sites, or intend to illegitimately collect your log-in information.
If the bad guys have been caught already, why does DNSChanger still affect people?
Simply put, the malware was exceedingly effective, and infected hundreds of thousands of computers. Prior to the bad guys being arrested, the US Federal Bureau of Investigation and German Federal Office for Information Security created a redirect of the redirect, so that many people infected by DNSChanger would still go to the legitimate websites that they intended to visit.
After the arrests, the two governments agreed to keep the rogue DNS servers running until March. Then they learned that there were still around 450,000 active DNSChanger infections, and so the servers got a reprieve until Monday, 9 July.
Yep. And around 330,000 people were still infected with DNSChanger as of the end of May, with about 77,000 of those in the US.
Google's warning that appeared at the top of search results.
How can I tell if I'm infected?
If you're in Australia, go to the DNSChanger Working Group. Click on the URL appropriate to your country, and you'll see an image with a green background if you're clean. A red background means you're infected.
Help! My computer's infected with DNSChanger. How can I fix it?
The DCWG has a list of free tools to download, and instructions on how to clean a computer infected with DNSChanger.
How can I avoid malware like DNSChanger in the future?
Security suites aren't perfect, but they will protect you from the vast majority of threats out there, including DNSChanger. Whether you're on Windows or Mac, Android or iOS, you really ought to have some kind of security program installed. And always double-check the URL before entering personal information into any kind of online text field or form, no matter what operating system or device you're using.