DNSChanger Malware / Trojan

What is a DNSChanger?

The DNSChanger Trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a desired IP address. This IP address is usually encrypted in the body of a Trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins, email accounts and passwords).


PC, Mac, Linux


In November 2011, U.S. Federal prosecutors announced Operation Ghost Click, an investigation that resulted in the arrests of a ring of seven people who allegedly infected millions of computers and DNSChanger malware.

The malware may prevent users' anti-virus software from functioning properly and hijack the domain name system (DNS) on infected systems. Systems affected by DNS hijacking may send internet requests to a rogue DNS server rather than a legitimate one.

To prevent millions of Internet users infected with the DNSChanger malware from losing Internet connectivity when the members of the ring where arrested, the FBI replaced rogue DNS servers with clean servers.

However, the court order allowing the FBI to provide the clean servers is set to expire on March 8, 2012. Computers that are infected with the DNSChanger malware may lose Internet connectivity when these FBI servers are taken offline.

We encourage users and administrators to utilize the FBI's rogue DNS detection tool to ensure their systems are not infected with the DNSChange malware. Computers testing positive for infection of the DNSChanger malware will need to be cleaned of the malware to ensure continued Internet connectivity.

Users and administrators are encouraged to implement the following preventative measures to protect themselves from malware campaigns:

  • Maintain up-to-date antivirus software
  • Do not follow unsolicited web links in email messages
  • Configure your web browser as described in the Securing Your Web Browser document
  • Use caution when opening email attachments
  • Implement best security practices as described in the Ten Ways to Improve the Security of a New Computer (pdf) document

A system can be quickly and easily checked for the presence of this trojan by visiting http://www.dns-ok.us/.

If you need any help, please contact us (416) 567-1181 or email us.