On 12:01 Eastern Time on Monday July 9th 2012, the DCWG stop responding to DNS queries from infected machines. This is in compliance with the US Justice Department Court Order authorizing the clean DNS servers. At 12:23 Eastern Time on Monday July 9th 2012, the server started to reply to all DNS request with an Read More

July 8th 2012 is the last day we collect DNS data on the DNS Changer Victims. The total “unique IPs” and last day of infections per DNS Top Level Domain Country Code (TLD CC) are linked below. Now that this phase of the remediation exercise is over, researchers will collect all the data and compare Read More

Lots of people have been asking for updated data. Thanks to one of our volunteers, we have the latest dump:   Daily Unique IPs connecting to the clean DNS servers up to June 27th 2012 – dcwg-unique-ips-up-to-June-27 Daily Unique IPs in July 2012 – dcwg-unique-ips-July-2012 Current List of Infections by Top Level Domain Country Code Read More

Top 25 ASNs seen on Monday, June 11th who have DNS Changer infections communicating with the DCWG Clean DNS servers. +——-+————+ | asn   | unique_ips | +——-+————+ | 9829  |      15568 | | 3269  |      13406 | | 7922  |      11964 | | 3320  |       9250 | | 7132  |       6743 | | 3215  |       Read More

Here is our latest country based on Country codes for Monday, June 11th:   +—-+————+ | cc | unique_ips | +—-+————+ | US |      69517 | | IT |      26494 | | IN |      21302 | | GB |      19589 | | DE |      18427 | | FR |      10454 | | CN |      10304 Read More

The following is our latest figures on the number of unique IP addresses communicating with the DNS Changer “Clean Servers.” +————+————+ | date | unique_ips | +————+————+ | 2011-11-08 | 551436 | | 2011-11-09 | 567957 | | 2011-11-10 | 672972 | | 2011-11-11 | 661664 | | 2011-11-12 | 617054 | | 2011-11-13 | Read More

Yet another Shadowserver.org illustration to explore the geographic view of DNS Changer infections from Jan 2012 to Mar 2012.

Shadowserver has pulled together a word map based on country to illustrate which countries had more infections. The size of the word relates to the number of infections.  

Shadowserver.org has provided a Hilbert Map (with video) of all the infections from Jan 2012 to March 2012.This is a useful tool to spot “hot spots” based on IPv4 prefix ranges. More information on Hilbert Maps can be found at: http://www.caida.org/research/traffic-analysis/arin-heatmaps/ http://www.team-cymru.org/Monitoring/Malevolence/maps.html