DNSChanger Malware / Rogue DNS - "Internet Doomsday" July 9

Back in late 2011 the FBI dismantled a large and sophisticated internet fraud ring behind the DNSChanger virus/malware. Part of this malware involved directing victim's DNS requests to rogue servers controlled by the malware authors.

After arresting the perpetrators the FBI and ISC set up "clean" DNS servers to replace the rogue servers used by the malware authors. These servers are scheduled to cease operation on July 9, 2012.

There are plenty of articles, mainly this one that caught my attention. Honestly, I have never heard anything about this until this morning when my boss asked me to "prepare" something for our co-workers to keep them on the up-and-up.

First and foremost, has anyone else heard about this and should I be worried? The DNS at my work environment is not in the range of effected Rogue DNS, but that's not saying mine at home or any of my colleagues might be.

Second, how should I go about "preparing" to make sure everything is safe and functioning like it should be come July 9?


It's not your DNS servers that you would have to worry about. It's the client machines that got infected by this malware.

Basically what happened was that when the FBI arrested the authors of the virus they took control of the DNS servers that they where running. Now, they can't run them forever using tax payer's money and they are on a limited amount of time due to the court order that was issued.

On your end you need to make sure that your client machines are not infected with virus.

There is a lot of good info on the FBI Operation Ghost Click website


In addition to what Zypher mentioned, you may also want to check out ISC's blog post about this, and the DNS Changer Working Group website which is specifically devoted to this mess.

In particular, the ISC site mentions the following re: how to detect if your systems are affected:

Is your DNS OK?
A half dozen national Internet security teams around the world have created special web sites that will display a warning message to potential victims of the DNS Changer infection.
For example if you visit http://dns-ok.de/ then you’ll get a German language page saying either that you appear to be infected or that you appear not to be infected. Andrew Fried and I created http://dns-ok.us/ for the same purpose, though of course our page is in American English.
The full list of these “DNS Checking” web sites is published on the DCWG’s web site along with a lot of information about the threat, the arrests, the takedown, the court orders, and clean-up information for victims. Now that we’ve got all these web sites that are able to tell someone if they are a victim and that tell victims what to do to clean up their computers and their home routers, the problem seems to be getting people to care.