Most of What You’ve Read About DNSChanger Is Wrong. Here’s How.

If you’ve been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. – hundreds of thousands around the world – will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That’s bad, right? Well, maybe not.

If you’ve been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. – hundreds of thousands around the world – will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That’s bad, right? Well, maybe not.

What you may not know is that the impending DNSChanger “black out” threatens to obscure what has been a highly successful effort – one of few to date – to stamp out a global online scam and malware infestation.

First, some recent history: U.S. authorities in November unveiled indictments against six Estonian nationals who they charged with running a sophisticated, international online fraud that netted an estimated $14 million in bogus Internet advertising revenues, while infecting some four million computers world wide, 500,000 in the U.S. alone. The scheme used malicious software, installed on victims’ machines, to force the users to visit Web sites that were customers of an online advertising firm controlled by the scammers.

Following the bust, the U.S. Department of Justice, working with ISC and other tech industry partners, set up their own Domain Name System (DNS) servers in place of those used by the cyber criminals to manage Web requests from infected hosts. A court order stipulated that the servers be shut down on March 5, 2012, four months after the bust. However, as that deadline approached, the U.S. Attorney’s Office successfully argued for an extension to July 9 – Monday.

The intervening months have seen both public and private initiatives to identify victims of the scam and to whittle down the number of computers that were still looking for the DNS servers operated by Rove Digital, the Ghost Click gang’s front company. As Threatpost reported in December, 2.5 million infected systems contacted the DNS servers run by ISC three weeks after the bust. By April, that number was down to 350,000 systems, including more than a few computers located within major corporations. The FBI launched a new campaign to help computer users identify whether their system was using the Rove Digital DNS servers, and to prevent those computers from being cut off from the Internet come July 9), while the U.S. Department of Homeland Security appealed to U.S. consumers to check their computers for signs of infection. They were joined, in May, by Google, which announced it would notify users of DNSChanger infections – directly and in the user’s own language. The search giant estimated that around 500,000 people, worldwide, were still infected with the malware. Then, in June, Facebook joined Google, saying it would display a notice for users connecting to the social network from one of the Rove Digital DNS servers and encouraging them to scan their system.

In all, the public and private efforts have been mostly successful. The DNSChanger Working Group, a public-private industry consortium, reports that there are around 60,000 systems located within the U.S. that are still pointing to the Rove Digital DNS servers – down from 500,000 in November. That’s an 88% clean up rate. The number worldwide is likely around 300,000, down from around 4 million – a cleanup rate of around 92%.

So why all the fuss? For one thing: media outlets that often steer away from technically complicated technology and security stories can really latch onto a deadline. The ticking time bomb meme is really too much to resist. So we get lots of sensational stories about an impending blackout, but not much informed discussion about the ‘why?’ and ‘wherefore?’ of it.

Second, there has been a tendency in the media (including Threatpost) to conflate systems that continue to use the Rove Digital DNS servers and systems that are still infected with the DNSChanger malware. That’s a mistake, says Kurt Baumgartner of Kaspersky Lab.

“Vendors cleaned up the malware, but left behind the DNS settings,” he said. “That leaves plenty for the working group to discuss and fix.”

In a blog post, Baumgartner said that nobody knows how many of the systems that are still using the Rove Digital servers are truly infected. “It could be that none of these systems are infected. Or all of them could be infected,” he wrote. “We are seeing thousands of DNS setting detections on systems that have no malware.” That means the stories you’ve been reading in recent days about hundreds of thousands of DNSChanger infected hosts are speculative, at best.

Even the name “DNSChanger” is misleading, Baumgartner contends. “DNSChanger was detected with a ton of different generics, heuristics and family names,” he told Threatpost. They include malware like Sharik, Shadowbot, Alureon in addition to DNSChanger. Complicating things even more, each of those malware components were delivered with other malware, too: the TDSS rootkit, MDrop and Zlob. The rogue DNS server story is also more complicated, Baumgartner notes. Most of the seized assets from the front companies have all been referred to as “Rove Digital”. But the Ghost Click gang actually used a wide range of front companies to support their scam and launder its profits, using front companies operating in countries as disparate as the U.S., the Ukraine, Russia, Estonia, Denmark, and Cyprus.

So the picture is much more crowded than just the DNSChanger malware and the bogus Rove Digital DNS servers. Which isn’t to say that, now that the malware has (mostly) been removed, using the rogue DNS servers operated by Rove isn’t a problem. “It doesn’t mean you have pneumonia, but you still have a cough.” And it makes you extraordinarily more likely to get sick again,” Baumgartner writes.

Some vendors (Kaspersky included) are now detecting the rogue DNS server settings and offering to reconfigure them to use clean DNS servers. Baumgartner sees the rogue DNS issue as an “artifact” of the DNSChanger malware infections that the community hasn’t done a great job of sweeping away. That’s obscured an otherwise successful operation that saw the scam’s architects arrested, their shell companies’ assets seized and most infected hosts cleaned by a consortium of private and public entities.

So why the lingering crisis about computers being “cut off” from the Internet? Baumgartner said it exposes weaknesses in the largely voluntary system for addressing computer virus outbreaks.

“Cleanup is not something that network admins do well, or at all,” Baumgartner notes.

Or, to use a public health analogy: we’re good at identifying and treating the sick, but not so good at preventing future infections and laying the groundwork for a healthier society.

This shouldn’t be a surprise: public health officials struggled with the exact same problem trying to stamp out virus outbreaks a century ago. In the most famous case, Mary Mallon, a.k.a “Typhoid Mary,” infected 53 people with typhus while working as a cook in the New York area in the first decades of the 20th century. But public health officials had a difficult time convincing Mallon, an asymptomatic carrier of Typhus, to submit to medical tests that would confirm her role in the outbreak, or getting her to stop working as a family cook.

Eventually, the New York City health inspector took the (then) unprecedented steps of arresting Mallon and quarantining her on North Brother Island off Manhattan for three years. Even after Mallon was released from quarantine in 1910 on the promise that she would no longer work as a cook, health officials weren’t able to prevent her from changing her name and again finding employment as a household cook – infecting another 25 people with typhus -one fatally – in 1915, after which she was arrested and placed in quarantine for the last time.

Like public health officials battling typhus outbreaks, the government, ISPs, security companies and others with a stake in halting outbreaks and infections online are still struggling to find the right tools for combating malware and outbreaks, that also respect the rights of individuals and companies. In 2010, the Dutch Public Ministry, working with the country’s High Tech Crime Team (THTC), local ISPs and the Dutch Computer Emergency Response Team ( disabled infected servers that constituted the command and control network for the Bredolab botnet. Dutch authorities then redirected infected systems to a Web page with instructions for removing the Bredolab malware. That was (and is) a controversial move. With DNSChanger, officials in the U.S. and the private sector represented by the DNSChanger Working Group took a softer approach: using a public information campaign to raise awareness about the infections and working through the Internet Systems Consortium (ISC), ISPs and other large organizations that serve the owners of infected systems, in the hopes that they can assist with disinfecting those machines and making sure they are querying legitimate DNS servers when surfing the Web.

In the end, we can count the DNSChanger case as a “win,” but a very qualified win at that. As in the sphere of public health: the hard work of maintaining a healthy and virus free Internet ecosystem lies ahead of us, not behind us. Both the public and private sector need new tools and strategies that allow them to respond rapidly in the case of an outbreak, and to work together over the long term to support commerce and the exchange of information and ideas. Mary Mallon spent the last two and a half decades of her life living in isolation on an island off Manhattan, dying of pneumonia in 1938. That was, undoubtedly, a “win” for public health. But its worth noting that, a century after Typhoid Mary, the Centers for Disease Control (CDC) reported that there are around 48 million food-borne illnesses each year in the United States sickening one of every six people every year and resulting in about 128,000 hospitalizations and 3,000 deaths. Securing the Internet from scams and malware, like fighting the spread of food borne contagion, is a long, hard road that we’ve only begun to travel.

Suggested articles


  • Gail on

    Its name WOULD be Rove, wouldn't it?

  • usuka madeek on

    What B.S. !!!!!!!!!!!!!

    Having your DNS settings changed is not a virus and is certainly not the doomsday nightmare it's being made out to be.

     It's very simple to check and change your DNS numbers and there would be no legitimate reason for the FBI to set up an alternate DNS server to keep a few peoples computers working for a year unless they were using it themselves to spy on people. Anyone stupid enough to believe this one shouldn't have a computer..




  • Anonymous on

    Maybe GLADoS has been wake up again.

  • Anonymous on

    Can someone please just give some simple, clear directions about how to address this risk?

  • K Arthur on

    A lot of technical talk about the Rove Digital servers infection, but nothing is mentioned on how do I know if my PC is infected and how to clean it. A friend told me to download provided by the government with a red or green ligt indicating if my PC is infected or clean. But knowing big brother wants to SPY on all of the internet users I wonder if I should download it or just be confident that my Kaspersky anti-virus  would solve this problem.

    Thanks - K  Arthur

  • lynn on

    Thank you for this straightforward story that sets out the details in this very complicated issue. This goes well beyond mainstream infotainment and provides great background, context and what to do next. 

  • Anonymous on

    This information is great!

  • colorowdy on

    The internet was structured and given birth to by the US GOVERNMENT released to the public for use in 1996.. Now with that fact what makes you think they have NOT been tracking everyone all along??? as far as the DNS changer...well this is a product of scammers taking advantage of people that do not educate themselves about the internet, how it works and what to look for...they just want to get on FB, YouTube and post rants...those uneducated are targets...There are many of them, same ones that send chain emails and try to collect the billions from some forgien country "Offical" that needs your "help" getting money out of his country....and never give a thought to a download or a "click here"

    If you take the time to learn how to use all the other gadgets in your life why would you bypass learning how to keep your computer safe on the internet. The FBI rescue...well it has been there all along it is just now being made public. Makes you wonder what else is running in the background. The internet has government fingers running deep, educate yourself.

  • Anonymous on

    Government propoganda at it's using their temp. servers, they can lawfully intercept tons of email and info.  I was hacked this morning: 7-13-2012 at 7:07:07 AM. 

    Changing a few servers does not dis-infect the network.  It was a ruse...not to protect the people, but to serve them.

    When has the government ever done anything and spent millions on that didn't also serve their interest????

  • Anonymous on

    Why are people getting so hot under the collar ? Do the words "reasonable discussion" mean anything anymore ?

  • Don on

    Great article. Also, some amusing and insightful comments. Indeed, malicious DNS lookup table corruption is one of the nightmares of wide area network admins and now it has come true. Interesting that no-one commenting has thanked the FBI or Estonian Law Enforcement for their significant efforts. I hope the hacker scum rot in prison. I also note Denial of Service and successful "take-down" attacks over VOIP are appearing now in the Talkshoe community, directed at "end-point" targets (particular Talkshoe users). What a wonderful Age we live in ;-P

    As for the Feds "spying"? Of course. It's what they're paid for! ;-) PEACE...

  • anon on

    nice article, Paul. Looks like the cutoff went smoothly and the most folks continue to get email, surf pron, etc.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.