Skip to navigation
Latest News

Botnet closure to cut 300,000 people off the web

global security

By Nicole Kobie

Posted on 4 Jul 2012 at 08:12

The FBI will pull the plug on DNSChanger servers next week, leaving thousands of people without internet access - but such "tough love" is necessary to protect the internet, say experts.

The DNSChanger malware and botnet was shutdown in November last year, following an FBI-led investigation that saw the US police agency confiscate the accused cybercriminals' hardware.

DNSChanger does exactly what the name suggests, fiddling with DNS settings to maliciously redirect users via its command and control servers to different sites. On Monday, the FBI will shut down those servers, leaving as many as 300,000 PCs worldwide - and 19,589 in the UK, as of last month - with the wrong DNS settings and unable to access the web, unless they take the unusual step of directly entering IP addresses into the browser.

What to do

Find out if you have an infection by running your antivirus, visiting a DNSChanger checking site or downloading a specialised tool to uncover and clean up the infection at the following sites:

F-Secure's DNSChanger checker

BitDefender's DNSChanger Detector

DNS Changer Working Group tools

Security firm BitDefender said infections remain at government organisations as well as Fortune 500 companies, but F-Secure's security advisor Sean Sullivan expects most of the afflicted computers will be further down the chain. "My suspicion is a lot of those [infected] machines are going to be tucked away in small/medium businesses, and no-one’s really paying close attention to it," Sullivan said. "Some sort of group-use machine that has gotten infected and no one is taking responsibility for the thing."

Consumers could of course also be affected, but many have already been alerted, as ISPs, Google and Facebook have been warning users.

The FBI was initially going to turn off the servers in March, but extended the clean-up period until Monday. That doesn't look likely to be extended again - and Sullivan doesn't think it should be, saying it was time for "tough love".

"The botnet is pretty much disabled, but if your machine is infected, it’s compromised – it’s an indication that the person who owns the computer doesn’t know it’s infected," he explained. "They never learn to patch up the machine, so it’s vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect."

"Cutting them off would force them to get ahold of tech support and reveal to them that they’ve been running a vulnerable machine that’s been compromised," he added.

David Emm, security researcher at Kaspersky Labs, agreed that it was worrying if anyone has missed an infection after this long - many months after it's been made public and been added to antivirus checkers. "If anybody hasn’t cleaned up, it’s a little bit worrying," he said. "Certainly, if it’s an organisation, you might wonder – it’s a bit scary if a business has defences in place that haven’t flagged this up six months down the line."

Infections remain

Still, while hundreds of thousands of PCs remain infected, there were many more when the FBI first started the operation. "It’s still a significant number, but it’s way behind the four million that was the estimate right at the start of this operation," Emm said.

If a PC does refuse to connect to the web on Monday, it's no reason to panic. After removing the malware (see sidebar), DNS settings simply need to be reset. "It’s not going to be completely hopeless, but IT desks better be ready," said Sullivan.

Emm warned IT support desks to expect confusion from users on Monday. "If they didn’t know at that point that they were infected, they may not immediately know on Monday, either."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Tough love

This should be immediate standard practice for botnets. Nobody, other than the exploiter, benefits from having infected machines online. And what better way to let the user know there's a problem?

By dubiou on 4 Jul 2012

A better idea

Rather than pulling the plug on the servers, wouldn't it be better to modify them so that all DNS queries returned the IP address of a special FBI hosted website pointing out the problem, and providing links to the most popular free and paid for security products?

By PaulOckenden on 4 Jul 2012


That would be sensible.

If it was a music or film copyright issue, they'd be tracking and identifying each PC to sue the owner, but since it's not they'll just pull the plug and walk away.

There's no money in doing the right thing.

By cheysuli on 4 Jul 2012


then if people knew this is what happens when your PC is taken over then the malware/virus writers would just copy the page. you would never know if it was the feds or the bot owners showing you the page.

By SimonCorlett on 4 Jul 2012

Guessing we'll be busy next week

I would put a bet on at least a couple of people I know who will suddenly find their computer offline who will inevitably call me for tech support. I guess the same will be true for many if not all PCPro readers.

By skarlock on 4 Jul 2012


This is really bad!

By Lollita on 5 Jul 2012


So you think there is about 19k PC Pro readers in UK?

By arichter on 5 Jul 2012

Leave a comment

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.