The DNS Changer virus is a malware that infects your computer and changes your DNS servers to so called rouge DNS servers operated by the creators of the virus. The effect is that if you try to visit a site, the rogue DNS servers will direct you to some other site which is operated by them. By doing this, the criminals generated about $14 million of advertising income.
The DNS changer virus was created by Estonian cyber criminals who were arrested in November of 2011. A DNS Changer working group was created to investigate the effects of the malware and to mitigate the effects of the virus.
How it works:
DNS (Domain Name System) is a protocol to convert domain names like facebook.com to their corresponding IP addresses. An IP address is an address of a server connected to the internet on which facebook.com resides and has its data on (like your user profile information). When a user types in facebook.com in a browser window, the request first goes to the user’s internet service provider (ISP) which tries to convert facebook.com to an IP address. The name servers of the ISP find out that facebook.com’s address is actually 18.104.22.168 (an IP address) and returns that information to the requester. The browser then sends a request to the IP address and gets the data from the server and facebook.com is displayed on the browser window. Now, if the name servers returned the IP address of some other site, that site would be displayed on your browser window instead of facebook.com. The virus changes the name servers on your computer from your ISP’s name servers to a different set of name servers and by doing this, the criminals direct traffic to their own sites.
Why July 9th:
To mitigate the effects of the virus, FBI fixed the rogue name servers to return the correct IP addresses. Today (July 9th) is the day on which FBI will stop doing this. This will cause the infected computers to be unable to open websites, or even have problems with email.
How to clean it:
The virus infects the computer’s boot sector. The boot sector of a disk is the part of the disk which has information on how to load the operating system. In normal operation of a computer, the boot sector is rarely changed. By infecting the boot sector, the virus loads every time the computer starts and it cannot be disabled by just deleting files on the disk. This makes it very difficult to clean.
Since 2007, the virus infected 4 million computers across the world. There are still infected computers and the DNS changer working group has created a site which can tell you if your computer is infected – http://www.dns-ok.us
If you have Windows on your computer, Windows Defender, a free tool from Microsoft can clean this virus. However, simply downloading and installing Windows Defender might not work. You need to use a clean computer and install Windows Defender on a CD or a USB flash drive and then take the drive to clean the infected computer. Here is the link where you can download Windows Defender. This page has some more tools.
- DNS Changer working group
- Check if you have the virus - http://www.dns-ok.us
- FBI document on DNS Changer