DNSChanger victims to lose internet on Monday
This coming Monday, 9 July, the FBI will be turning off the DNS server which currently intercepts queries from DNSChanger victims. This will mean that users who are infected with the malware will be almost completely unable to access the internet normally. Users are therefore advised to check whether their computers or routers use one of the FBI-listed IP addresses for DNS queries, well before the server shutdown, by visiting dnschanger.eu or dns-ok.us.
Users who want to check their configuration manually need to look out for the following IP address ranges:
- 126.96.36.199 to 188.8.131.52
- 184.108.40.206 to 220.127.116.11
- 18.104.22.168 to 22.214.171.124
- 126.96.36.199 to 188.8.131.52
- 184.108.40.206 to 220.127.116.11
- 18.104.22.168 to 22.214.171.124
If an address from one of the above ranges is already set as the DNS server on the computer or router, it is infected with DNSChanger. Users can find out where to locate this DNS server information for their particular case using a wizard set up by the eco association. Future DNS queries can be made using servers such as Google's at 126.96.36.199.
Until November 2011, criminals were intercepting DNS queries from infected computers and redirecting them to fake web sites. This allowed them to steal credit card details, sell fake anti-virus software and undertake click fraud.
The FBI then destroyed the DNSChanger network in Operation Ghostclick and, as a temporary solution, set up a replacement server which redirected DNS queries from affected computers to their correct destinations. On 9 July, this server is set to be switched off. Although this date and the DNS problem have been public knowledge for several months, there are still thousands of infected computers in use in the UK. Two months ago, the FBI was still registering queries from around 20,000 UK IP addresses.
From Monday, users will only be able to visit web sites from infected computers by entering the IP address directly (e.g. http://188.8.131.52 for heise.de). Since the end of May, Google has been warning users of its search engine if their computers are infected.