An Update on DNSChanger and Rogue DNS Servers

By on

In late 2011, the FBI released documents and data focusing on “Operation Ghost Click.” This malicious operation, leveraging a variety of DNSChanger-type malware, was defined by the FBI as an “international cyber ring that infected millions of computers.”

Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain affected or infected and are still open to compromise.

The amount of helpful data around this issue is plentiful. Even the FBI has provided a tool to check whether your host/IP is affected.

So, fast-forward to the present: Within McAfee Labs we have been flooded with queries (forgive the DNS pun) on what will happen on March 8, and what other impacts might ripple through our environments as the FBI takes the next steps toward concluding Operation Ghost Click.

The Good News!

On March 5, a U.S. District Court in New York signed an order to extend the March 8 deadline to July 9.

This extension will allow all affected entities to continue to track down and remediate against hosts that are still compromised. Current data indicates that there are still several million infected or affected hosts worldwide.

Also, as a handy reminder, the offensive Netblocks are well documented:

  • through
  • through
  • through
  • through
  • through

To learn more about how to maintain your online connection and to protect against this malware family, read our new Threat Advisory:

For McAfee Customers: Detection for associated malware is provided under the DNSChanger Trojan family.

For example:

Other Resources:

  • McAfee Labs Security Advisory MTIS11-219
  • McAfee Labs Threat Advisory on DNSChanger
  • McAfee Labs DNSChanger Description Search
  • The FBI’s DNSChanger Malware
  • United States District Court Southern District of New York Post-Indictment Protective Order extending the March 8 date. (Click on image to expand.)

    Court-ordered date extension



Leave a Comment

Similar articles

Let’s Reverse the Threat of Identity Theft!! Our online identities are critical. In fact, you could argue that they are our single most unique asset. Whether we are applying for a job, a mortgage or even starting a new relationship, keeping our online identity protected, secure and authentic is essential. This week is Stay Smart ...
Read Blog
October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and ...
Read Blog