Obtaining information about infections on your network

All ISPs are asked to notify their affected customers and encourage remediation.  If you run a network and would like information about DNS Changer infected IP’s on your network, please contact one of the organizations listed below.  These organizations are making this data available for free as a public benefit.  These organizations will verify that you are a responsible contact for the ASN.

DNS Changer infected IP’s are tracked by origin ASN.  If you do NOT have your own ASN, do NOT reach out to any of these organizations.  Instead, you can quickly test your individual computers and home routers using instructions that can be found at the checkup page.

Organization How to Contact
Shadowserver.org Go to the ”Get Reports on Your Network” page and follow the instructions to apply for reports. These reports will cover all malware seen by Shadowserver.org
Arbor Networks https://atlas.arbor.net/contact/ (Use web form)
Team Cymru Please e-mail outreach@cymru.com with your organizational affiliation, ASN(s) and/or netblock(s), and request the free DNSChanger infection feed
Internet Identity E-mail to dnschanger_data_request@internetidentity.com to request a feed.

Identifying infections on your network

Any hosts making DNS requests (udp/tcp packets with destination port 53) to the following rogue nameservers are likely infected and should be scrutinized.

Starting IPEnding IPCIDR
85.255.112.085.255.127.25585.255.112.0/20
67.210.0.067.210.15.25567.210.0.0/20
93.188.160.093.188.167.25593.188.160.0/21
77.67.83.077.67.83.25577.67.83.0/24
213.109.64.0213.109.79.255213.109.64.0/20
64.28.176.064.28.191.25564.28.176.0/20