21 March 2012
Software and platform affected
Windows (all versions)
Mac OS X (all versions)
What is the problem?
Malware which alters a computer’s DNS (Domain Name System) settings, known as “DNSChanger” malware, has been in circulation for some time. DNS is an Internet service which translates user-friendly domain names (e.g. ssoalertservice.net.au) into the numerical Internet Protocol (IP) addresses (e.g. 188.8.131.52) which are used by computers to communicate with each other. By infecting a victim’s computer with this type of malware, criminals are able to alter the DNS settings on a user’s computer. By controlling the DNS settings on victim’s computer, criminals force the infected computers to communicate with “bad” or “rogue” DNS servers, rather than legitimate “good” DNS servers. The criminals can then use these “bad” or “rogue” DNS servers to redirect the unsuspecting users to fraudulent websites or interfere with a user’s web browsing. For example, if a user’s computer is infected with the DNSChanger malware, and the user enters “google.com” in their web browser, rather than take the user to the legitimate “google.com” website, they would be taken to a fraudulent website instead.
In November 2011, the FBI uncovered a network of rogue DNS servers and took steps to disable them. However, by disabling the rogue DNS network, victims who are infected by the DNSChanger malware could lose access to DNS services entirely. To address this issue, the FBI developed a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims for a temporary period. As of July 9th 2012 the FBI will no longer be operating this service; computers that are infected with the DNSChanger malware could lose access to DNS services, preventing access to the Internet, including access to legitimate websites.
What we recommend you do
The Australian Government has created a diagnostic website which will, in most cases, confirm whether or not a user’s computer is infected with DNSChanger malware: Australian Government DNSChanger Diagnostic
The FBI has provided a PDF document with detailed instructions (including screenshots) to manually check the DNS settings on both Windows and Mac OS X based computers: FBI DNSChanger Malware Document
As a minimum step, we recommend that you click on the Australian Government’s diagnostic website and see whether it displays a green box with the words, “You do not appear to be affected by DNSChanger”.
Then, if you want to be more certain that this diagnosis is correct, it is also recommended that you follow the detailed instructions in the FBI’s PDF document to help to determine whether your computer is infected with DNSChanger. You should also perform a thorough virus-scan of your computer using an up-to-date virus scanner to ensure that it is not infected with the DNSChanger malware.
If you do find that have been infected with the DNSChanger malware, you should seek professional assistance to ensure that the malware is removed successfully.
Additionally, this factsheet contains instructions to help detect and remove malware:
Where you can find more information
The Australian Government has also provided some additional information regarding the DNSChanger Malware here: DNSChanger Information
The FBI has also provided further information regarding internet fraud associated with the DNSChanger Malware here: Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business
Additional information regarding the DNSChanger Malware can be found at the DNS Changer Working Group (DCWG) website: DNS Changer Working Group