DNSChanger

Overview

DNSChanger is a Trojan virus that was distributed between 2007 and 2011. Masked as a video codec, the program modified the computer's Domain Name System (DNS) configuration to send users to a rogue server which replaced normal advertising with advertising sold by Rove Digital^[1], the Trojan's distributor. In November 2011, the United States FBI seized the company's servers, which are set to be turned off on July 9th, 2012. On July 2nd, 2012, the F-Secure Labs^[2] estimated that 300,000 unique IP addresses were still registered on the servers, leading many news sites and tech blogs to publish articles about a "DNSChanger Doomsday."

Background

Forum posts about the DNSChanger virus began appearing as early as February 3rd, 2007 on the What the Tech?^[3] forums. That year, more users posted threads with concern about the virus on the Search and Destroy forums^[4], Wilders Security Forums^[5] as well as articles on how to remove it appearing on blogs including Security Ticker^[6], My Anti Spyware^[7] and F-Secure.^[8] The following year, in December 2008, a blog about the virus was posted on the Washington Post^[9] and subsequently shared on Reddit^[10] the following day.

In November 2011, members of the United States FBI arrested six Estonian nationals in Operation Ghost Click^[22], dismantling Rove Digital after more than 4 million computers across the globe had been affected.

Notable Development

Since Rove's affected servers were seized, the FBI replaced them with legitimate servers in hopes that affected users would not have their service disrupted. The FBI servers redirected the rogue ones to the correct DNS for those users with the trojan still embedded in their computer.^[18] Originally, these servers were meant to be turned off in March 2012, but due to 450,000 global computers still affected, the federal government granted an extension until Monday, July 9th, 2012.

Malware Detector 

On July 4th, F-Secure released an estimate that at least 300,000 computers were still infected with the malware. As the deadline drew near, the FBI launched a website at DNS-ok.us where computer users can check their infection status by green or red color backgrounds. 

Major internet companies like Google and Facebook as well as U.S. Internet service providers (ISP) like Comcast, COX, Verizon, and AT&T also issued automatic notifications to users accessing through rogue DNS network.

News Media Coverage

The FBI's detector site and the warning quickly spread through the tech news blogosphere and online news sites, accompanied by sensational headlines suggesting there will be a massive internet blackout on July 9th. The intensive media coverage of a potential server outage came only days after temporary blackout of major sites and online services like Reddit and Netflix caused by Amazon's data center outage and a technical bug known as the leap second glitch.

On Twitter

The hashtag #DNSChanger^[11] has had an average of 30 tweets per hour^[12] in July 2012. 

Search Interest

External References