The FBI said that there are still more than 330,000 computers believed to be infected with the DNSChanger malware, with just weeks to go before a court order to cut off their ability to communicate with the rest of the Internet. Fully 77,000 are located in the U.S., according to data provided to Threatpost.

The data was culled from servers operated by the Internet Systems Corporation (ISC), in conjunction with the FBI, following an international crack down on the online scam in November, 2011. It suggests that, despite a chorus of appeals, the government and its private sector partners have much work to do to eradicate the malware infections stemming from the scam.

The fraudulent scheme, which law enforcement referred to as the Ghost Click network, was the target of a coordinated take down on November 8 by the FBI and a long list of government and law enforcement agencies and private corporations around the world, including the Estonian Police and Boarder Guard Board, the Dutch High Tech Crime Unit, authorities in Estonia and ISPs in the U.S. and abroad. At the time of the bust, the FBI estimated the agency estimated that the scheme affected some 4 million individuals worldwide, and 500,000 in the U.S. 

The scheme is alleged to have netted participants $14 million in illicit profits, largely in the form of commissions for directing traffic to Websites and online advertisements who were customers of front companies set up by the criminals. The FBI has appealed to the public to identify victims of the fraud that it can use to aid with prosecution of six Estonian nationals who are allegedly behind the scam.

DNS servers are a critical piece of Internet infrastructure that translate human-readable domain names, such as, into numeric IP addresses that Internet connected systems use to locate each other. After breaking up the scheme, authorities replaced the malicious DNS (Domain Name System) servers used by the scammers with their own, clean systems. However, the government set a cut off date after which those DNS servers would be taken offline. DNSChanger infected systems that hadn’t switched to new DNS servers would then be cut off from the Internet – potentially baffling their owners.

In March, a Federal Judge agreed to a request from the U.S. Attorney’s Office to extend the operation of the government’s DNS servers until July 9, 2012. At that time, there were still an estimated 400,000 systems infected

As of May 21st, there were 330,752 unique IP addresses that contacted the Clean DNS servers in a 24-hour period.  Of those 76,901 are located in the United States, an FBI spokeswoman told Threatpost. The latest data from ISC comes in the wake of public appeals from the government. The FBI launched a new campaign in April to stamp out the remaining DNSChanger infections, including those lurking in Fortune 500 companies. The U.S. Department of Homeland Security (DHS), which asked consumers to check to make sure their computer is not infected with the malware. Google, this week, said that it would notify infected users through messages on search results pages if they appear to be infected with the malware

The latest numbers, down only slightly from March, suggest that the pace of recovery from the DNSChange infections is slowing, despite the public attention to the problem. Security experts have warned that cleaning up the estimated 4 million infected hosts would be a challenge

A web site,, has been set up to tell consumers if they are infected. However, as Kaspersky Lab researcher Kurt Baumgartner pointed out, that site is prone to errors. Users are better off using free scanning tools from prominent anti malware vendors to determine if their system is infected, and to remove the DNSChanger malware if they are infected, Baumgartner argued

Categories: Critical Infrastructure, Malware, SMB Security

Comments (5)

  1. JustDoItAlready

    <quote>”However, the government set a cut off date after which those DNS servers would be taken offline. DNSChanger infected systems that hadn’t switched to new DNS servers would then be cut off from the Internet – potentially baffling their owners.”</quote>

    Eventually they will figure it out! Cut it off already.


  2. Anonymous

    Why don’t they just redirect everyone to a website that explains they are infected?

  3. Shayan

    Agree… if something like redirection to indicate the users that his systems are infected…the invasion counts would  significantly come down.. But again there are possibilities of adversaries like malicious sites redirecting users…..

  4. Anonymous

    Look with only 77k infected computers (Google Est.)  this is  hardly acrisis…. Where’s the NSA when we need them? Where is Microsoft with updates? How about out security folks we’re paying for?

  5. TJ Leeland

    Exactly. When they can’t access the internet they’ll call a professional to fix their computer — who can them tell him that he’s infected with this and several other pieces of malware. This malware came with more than just a DNS changer, so these users — who are staying infected because of FBI handholding — are at risk of having other personal information stolen. Better to let them find out they have a problem now. 

    This isn’t helping infected users, it’s artificially putting them at risk for longer. 

Comments are closed.