DNSChanger, the FBI and the July 9th Deadline – What You Need to Know

You may have recently heard a lot of stories recently about a type of malware referred to as DNSChanger, or you may have heard that on July 9th you may lose your Internet access if you’re infected with malware. We explain – simply and concisely – what it is all about and what you need to do and know to make sure you’re not affected.


The Apple Itunes store was specifically targeted by the scammers who would not let infected computers visit the real store, instead directed them to a spoof website.

It all started back in 2007.

A small group of scammers were busy infecting computers with a type of malware called DNSChanger, with a great success rate. DNSChanger was able to travel from computer to computer, infecting them and thus putting them under the control of the scammers. This growing network of infected computers is known as a botnet.

What this DNSChanger malware actually did was change the DNS settings on the infected computer. DNS is a system that lets your Internet browser (Internet Explorer for example) connect to the right web server when you type in a web address, thus bringing up the correct website. Without DNS your Internet browser would not know where to go when you typed in, for example, www.google.com. When you type in a web address your computer first connects to the DNS server belonging to your Internet provider, which then tells your computer where to go. However DNSChanger altered this, and instead of your computer connecting to the DNS server belonging to your Internet provider, it would instead connect to a server belonging to the scammers.
This is particularly dangerous because this lets the scammers control an infected computers Internet experience. They can manipulate where users end up when they try and visit websites, or even alter the resulting webpage itself. And this is what happened in the case of the 2007 DNSChanger malware. It redirected people to spoof websites that contained third party adverts. Because the scammers affiliated themselves with the people who owned those third party adverts they made lots of money in commissions. Apple and the IRS in the US have been specifically targeted, with DNSChanger refusing to allow victims to visit those websites, instead serving spoof sites.

However, in 2011, over 3 years after the scam started, the FBI – working with the Estonian police – caught the scammers in an operation called “Operation Ghost Click”. By this time the scammers accumulated over £8million ($14mil) and had infected millions of computers!

But what’s all this about a July 9th deadline before you may lose the Internet?

The problem with the fact that so many infected computers were connecting to the DNS servers belonging to the scammers (and still are!) was that shutting down the servers would result in infected computers not being able to connect to the Internet. Even though the DNS servers belonged to the scammers, infected computers were still relying on them to go online. So the FBI neutralised all third party ads and other dodgy activity and kept the DNS servers belonging to the scammers up and running like a normal DNS server. This gave time for people with infected computers to cleanse their computers of malware and return to using the DNS servers belonging to their Internet providers, as they should do.
However the FBI is going to shut down the scammers DNS servers on July 9th (it costs money to keep them running after all!) meaning if any computers with this specific DNSChanger malware are still infected by this date they will no longer connect to the Internet. Their Internet connection is still active, but the computer will be looking in the wrong place for instructions on what to do when a user types in a web address.

So how do you know if your computer is infected with DNSChanger? Well, fortunately that could not be any easier. Dozens of websites have been set up for potential victims. All you have to do is visit the site and it will tell you if you are infected or not, straight away. For a list of sites in various languages and locales visit the DCWG website.


If a website checking for the malware shows this screen, you’re infected. A green screen means your computer is clean for this specific type of malware and you won’t lose your Internet on July 9th.

If you’re infected, the site will bring up a red screen telling you as much. If you’re infected it’s time to break out the latest anti-virus software you have installed and run a full system scan, and if you haven’t got up-to-date reliable anti-virus then you can click here for our recommendations.

On a small sidenote, you will only lose your Internet access if you have this specific DNSChanger infection. If you have other malware on your computer the July 9th deadline is irrelevant to you, despite what many inaccurate rumours claim.

Make sure you do check your system, because if you don’t you may be seriously regretting it come July 9th!

Share
Published by
Craig Haley