With DNSChanger Shutdown on July 9, Concerns Remain - Security - News & Reviews - eWeek.com | eWeek

With DNSChanger Shutdown on July 9, Concerns Remain

Written By
eweekdev
eweekdev
Jul 5, 2012
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

By: Robert Lemos

In March, a judge agreed to extend the U.S. Department of Justice’s control over the domain-name infrastructure that allowed a widespread piece of malware, DNSChanger, to serve up ads that profited the criminal group behind the program.

On July 9, the company that runs the DNS service on behalf of the U.S. government will shut it down, and hundreds of thousands of users may lose the ability to connect to common Internet sites. The shutdown of the DNSChanger infrastructure ends a controversial period where a critical piece of botnet infrastructure was under the control of a legitimate group.

“The FBI has been in control of these servers for a while, and they are just going to go dark,” said Dave Marcus, director of advanced research and threat intelligence for McAfee, a subsidiary of Intel. “You have a lot of people out there that are still infected with DNSChanger, who will need to go out and get their systems cleaned up.”

When it infects a computer, DNSChanger redirects domain-lookup requests to a criminal-owned server that can send victims to fraudulent Websites or legitimate sites from which the criminals collect advertising fees. The malware infected an estimated four million computers and netted its criminals operators more than $14 million. Following a click on a search link, the malware could hijack a victim’s Web browser, known as clickjacking, or replace the advertisements on legitimate Websites with fraudulent ads.

About 12 percent of the Fortune 500 and a single major government organization continue to be affected by DNSChanger, network and brand protection firm Internet Identity stated last week. Computers at some 277,000 Internet addresses are currently infected by the software, according to security firm Damballa. The actual number of infected systems is likely higher, Gunter Ollmann, vice president of research at Damballa, said in a statement.

“Law enforcement has been working with the ISPs, and they’ve been able to make the translation from IP addresses seen at the server to specific ISP subscribers,” said Ollmann. “There are, however, complexities in households that have multiple computers compromised and sit behind the same subscriber modem or connection.”

The FBI announced the takedown of the DNSChanger botnet in November 2011, along with the arrest of six Estonian nationals and a Russian citizen for operating the large botnet. At the time, they estimated that four million systems had been infected in 100 countries, including half of a million computers in the United States.

While the actual damage done by DNSChanger is small compared to some more aggressive malware, the techniques used by law enforcement set a precedent, said Ollmann.

“In the grand scale of Internet crime and the monetization of victims, DNSChanger is not a serious threat, but it is an interesting footnote in the success of law enforcement actively taking down a large botnet,” said Ollmann.

A number of companies and organizations have released tools and sites for helping potential victims test their system for signs of DNSChanger. McAfee offers a free tool as does the DNSChanger Working Group.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.