Spyware, Viruses, & Security forum

General discussion

Fact or fiction: People could lose their Internet connection in July?

by Lee Koo (ADMIN) CNET staff/forum admin / May 3, 2012 10:08 AM PDT

Fact or fiction: People could lose their Internet connection in July?

I have been hearing a lot about the FBI establishing a Web site
(http://www.dcwg.org) to detect if your computer was infected by a virus sent
out by hackers. If you unknowingly downloaded the virus and it
remains undetected, the hackers will take down your access to the
Internet in July. Is this a legit site? If we visit the site and
receive a message that our computer is infected, do we download antivirus
software on the site to fix the problem? With so many scams out there,
it is sometimes hard to tell what is legit. If this were true
shouldn't my antivirus or anti-malware have picked this infection up?

Any explanation on this whole subject matter would help me be
prepared, just in case I am infected. Thanks for your help, have a
beautiful week.

- Submitted by Barbara
Post a reply
Discussion is locked
You are posting a reply to: Fact or fiction: People could lose their Internet connection in July?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Fact or fiction: People could lose their Internet connection in July?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
If you are a victim

The FBI has actually done you a favor.

Instead of shutting the servers responsible for the DNS Changer botnet down, they have kept them up and running. Why? Millions of computer users were infected by this trojan, and shutting these servers down would instantly result in loss of internet access for those millions still infected.

This is because of the way the malware writers set up the botnet. DNS Changer trojan reported back to the servers the gang used to run/own; infected systems would be directed here for all internet access, and then would go out to wherever the user wanted to go. Unfortunately, this also meant the infected system was, for all practical purposes, owned by this gang, for as long as they continued to operate. They made their money on a pay-per-click basis based on fraudulent advertising revenue for each system infected, so every system user unknowingly and unwittingly made them money as they surfed the internet.

When the FBI and others arrested the members responsible, they also took possession and control of these servers. This happened on November 9th, 2011. The DNS Changer organization had been in operation for more than five years at that point, beginning sometime in 2007.

Owning a system on the internet that is not yours is very profitable; there are myriad ways of making money off the data stolen, identity theft, etc. In hackers lingo, you are pwnd if this happens to you.

It is up to the user to check for infection, and remove/clean it if found. Tools and instructions are provided @ http://www.dcwg.org on how to check and clean if necessary.

So, in short, use the above site to see if you are infected. If you are not, you have nothing to worry about. If, however, you are infected, and you are not comfortable in cleaning an infected system, take it to a reputable local computer shop you know and trust. But get this done sometime before July 9th, 2012.

The FBI and the court system has extended the cutoff date for the cessation of the DNS Changer servers operation twice already; one of the latest estimates say that some 3,000,000 systems are still infected as of two days ago. If these servers were shut down today, that would mean three million users suddenly without internet access. Some of those users are in a corporate environment, alas.

Note: This post was edited by its original author to fix incorrect link on 05/04/2012 at 5:40 PM PT

Collapse -
Is it possible to change the DNS number in every computer?
by gjgalveza-mty / May 12, 2012 6:49 AM PDT
In reply to: If you are a victim

Is it possible to change the DNS number in every computer infected instead of cleaning the computer otherwise? If I call my Internet Service Provider they can give me the number of the DNS server I am connected with, I guess. Ah, but if I still have the Trojan in my hard disk it will continuing changing that number. In any case my IPN will give me the clue about how to get rid of the menace. An how is it that the manufacturers of Virus cleaning software did not pick up the menace early enough and provided the solution via updates? Probably the people that got infected did not have antivirus protection. Am I right?

Collapse -
It's a rootkit infection

Alureon rootkit family.

What is a rootkit? here: http://en.wikipedia.org/wiki/Rootkit

Since it is a rootkit, it will hide from antivirus programs, is difficult to detect and difficult to remove/clean.

Luckily most a/v's now detect and remove this infection. But even then, a/v's cannot clean and disinfect your router or dsl modem because most do not scan your internet device.

So, no, changing the DNS IP address would not work if the gang was still active and in control of you computer. If you do not like the FBI or http://www.dcwg.org/ having control of your computer through the DNS Changer Trojan, and you still have this infection, then by all means clean it and use a free DNS vendor such as http://www.opendns.com/ to ensure that this is still not the case. As long as the DNS Changer Trojan is still there, you are always going to the server farm the FBI and dowg.org is still running for all your internet access. Sad

Collapse -
by gjgalveza-mty / May 13, 2012 12:46 PM PDT

I see, I see. Thanks a lot for your guidance. It is interesting to note how much these little crooks know about the subject matter. If they were using their knowledge for good purpose they may get even richer than by this crooked way. But I am changing the focus of the discussion. We have got to keep ourselves a step ahead!

Collapse -
What about current scanners?
by raduzhok / May 13, 2012 3:42 AM PDT
In reply to: If you are a victim

I'm reading thru this and I'm not sure if the implication is that the traditional virus and malware programs that I have installed on my machine (and which I use, and which has not found any such infections), are unable to detect this trojan.

Can someone please answer this simple question?

Collapse -
Simply put, a rootkit if well made is undetectable.
by R. Proffitt Forum moderator / May 13, 2012 3:48 AM PDT
Collapse -
Re: Rootkit Video
by mchainmchain / May 13, 2012 6:18 AM PDT

Nice video. Just be sure to not watch until the very end of the video; some viewers might be offended by somewhat graphic content not related to the video posted. It is a link posted within the article that indirectly is posted to YouTube, after all.

Imagine being able to read and view https:// via WiFi content using that or other rootkit! Terrible invasion of one's privacy. Should not happen. Ever.

Collapse -
Blog at Kaspersky
by mchainmchain / May 13, 2012 6:58 AM PDT

Says that the test for redirection is not always reliable here: http://www.securelist.com/en/blog/208193491/Update_to_DNSChanger_Cleaning_Up_4_Million_Infected_Hosts

dowg.org site says system is "green" even though it is infected.

Author apparently has two of the known DNS Changer Trojan DNS IP addresses listed in ipconfig, and no redirection occurred.

IP addresses listed were:



where "x" is last number omitted for safety reasons. The FBI does list these two, among others, as rogue DNS IP addresses.

Collapse -
snail vs monsters hoho
by kellysaveladybug / June 1, 2012 6:33 PM PDT
In reply to: If you are a victim

not only trojan , Barbara was The culprit

Collapse -
Fact or fiction: People could lose their Internet connection

It is fiction. There have been and there will always be malware out there.
All you to do is be aware of it, use common sense when surfing and have some good malware detection software and ensure that it is being kept up to date.
The DCWG http://www.dns-ok.us/ is not going to harm your computer as it did not harm mine once I used to to test my desktop after reading the WindowsSecrets.com weekly newsletter.

I hope this is helpful.

Collapse -
What a great way to "make jobs"

So, the gov, runs servers for infected computers? Really, the gov cares if your computer crashes?

Talk about an easy way to get gazillions of people to load bogus patches & software! I have read the article & "if you have a reputable anti-virus software, you're okay". Well duh!

If you have registered software, legally, you shouldn't have any issues with your computer anyhow. But if you're concerned, by all means, take your computer to a trusted computer repair facility. Either have them check it out, or reformat your computer. Or better yet, find someone you know who does this & flip them a few bucks.

Just my thoughts.

Collapse -
Re: What a great way to "make jobs"
by zigzagolis / May 13, 2012 2:40 AM PDT

Looks to me like a great way for the government to scan you computer for anything they can use against citizens. Would you seriously allow the government to prowl through you private files??? (and anything on YOUR computer is your PRIVATE information)

Collapse -
DNS Malware

DNS servers across the Internet translate URL word-addresses to the IP numeric ones actually needed by network devices. Until shut down last November, a bot-net distributed various malwares which changed DNS settings of infected devices so requests for this translation service went instead to bogus servers which in turn directed traffic to spoofing and virus-infected websites. Antivirus programs might or might not have caught the several variants attacking a PC, but the malware also targeted router settings and network devices not usually protected by such software. The Internet Systems Consortium has been running DNS servers to replace those involved in the infection, but they will discontinue this court-ordered effort by July 9. Thus, no one will terminate any Internet service in July or any other date, but if your PC or router has been redirected to one of the phony DNS servers, it will find nothing to connect to when the temporary corrective services are ended.

The website dcwg.org, for DNS Changer Working Group, will quickly check your system for evidence of erroneous DNS redirection. Although DNS entries can easily be corrected manually, the site also links to a dozen or so free, commercial malware removal sites which will scan for viruses and remove them, and reset the DNS entries for you. This list of free tools is excellent to keep for any future needs, whether or not DNS-related. Administrative rights are not needed for the DNS check, but are required for the corrective tools.

(As an alternative to DNS settings suggested by your ISP, both OpenDNS.com and Google (https://developers.google.com/speed/public-dns/docs/intro) provide DNS servers claiming improved security or features which can be freely used by setting your DNS pointers to the IP numbers which they provide.)

Collapse -
by mchainmchain / May 5, 2012 4:36 AM PDT
In reply to: DNS Malware

Thank you for the clarification on how DNS works and how the DNS Changer gang controlled machines affected by this trojan.

I did not spell out how this operation worked, as my focus was to highlight the history and impact this gang had:

"This is because of the way the malware writers set up the botnet. DNS Changer trojan reported back to the servers the gang used to run/own; infected systems would be directed here for all internet access, and then would go out to wherever the user wanted to go. Unfortunately, this also meant the infected system was, for all practical purposes, owned by this gang, for as long as they continued to operate. They made their money on a pay-per-click basis based on fraudulent advertising revenue for each system infected, so every system user unknowingly and unwittingly made them money as they surfed the internet."

The web site is just a way to check to see if you have the trojan, and provides the means to remove it.

Honestly, no one has to provide such a service here. The plug on the rogue DNS servers can be pulled at any time, but instead of that, notice is given that this will happen on July 9th, 2012. There will be many unhappy users when this is done, as you explain above, there will be suddenly no DNS server to connect to. SadSadSad

This does not mean your system is infected with other malware, just that internet connectivity will be lost.

Just go to a site you like and trust to check, is all.

Collapse -
Yes, it's legit

I know it sounds highly improbable, but if you type in fbi.gov you will find the information on the FBI home page (article # 1 of 4 that are scrolling). If you type it yourself you are not clicking on somebody else's link. I would say that the FBI posting this is pretty conclusive evidence that something exists.

And I agree that your computer is probably fine, but it won't hurt you to check and the FBI is not a bad place to do so). If you should have a problem, it is a rootkit, so I don't believe running a scan will fix it. If mine had turned up infected (probably not the correct word for this particular issue), I would be going to my local computer pro to get it taken care of.

Collapse -
by koufax1 / May 12, 2012 2:10 AM PDT
In reply to: Yes, it's legit

The FBI? Really, you would take it to your "computer pro" you sound like you don't know squat about it so don't post like you do. Computer pro, that is funny

Collapse -
"if it isn't broken don't fix it"

That phrase and similar phrases "let sleeping dogs lay" are quite appropriate.

If you don't have a problem then don't be overly concerned and don't let thing you "hear about" convince you otherwise.

Certainly we all need to be aware of our use of computers and we all need to keep up to date with appropriate protective software. We do not however need to exceed normal practice.

You have every right to be concerned about scams, there are now so many it is very difficult to know just what is a scam. Even the instance you raise here "could" be a scam. Even if it is the FBI and even if it is a genuine attempt to keep everything ok, how do you/we know what may or may not happen with your pc? For all we know the FBI could be using this action to install "monitoring" software on your pc.

These days we are all potentially vulnerable to threats from "within". We have so many hardware/software features that continually check for updates. Microsoft being the most prolific updater. I am about to install (reinstall my complete system and I have decided to not allow any auto updating if I can turn it off. Hopefully this will also improve the computers performance.

For (I hope) most people, their computer system should be invisible on the net. You can use this web site to test your computer for security. http://www.grc.com/default.htm (no affiliation, I use it to check my pc).

Providing you have suitable AV and malware protection and your physical modem connection to the phone line (hardware or wireless) has its inbuilt firewall turned on, then you can be reasonably assured you are safe from virus attacks..

Most security breaches are not from brute force attacks on a pc, because as mentioned, with the correct precautions, your pc should be "invisible" on the net. Most breaches are gained by obtaining just enough information (an initial basic password verbally given to someone) to gain a "foothold" within a computer system. Once "on the inside" computer access becomes MUCH easier.

FWIW, I choose NOT to have Microsoft updates installed. I turn off automatic updates and the incessant reminders completely. I decide when my computer gets updated and with what, I have don so for many years. From the hundreds of so called security and other updates, I have only ever NEEDED one "fix". I updated this fix myself (a long time ago now).

This may not be appropriate for everyone and while I cannot recommend it for everyone, I DO ensure that systems I supply to MY clients, do not have automatic updates turned on.

I can therefore be assured that MY (and my clients') computers remain in a known state - and I know the state. WITHOUT this "control" if the computer performs differently or erratically, how would I know if the problem is an unnecessary MS update or some other influencing factor?

In summary then, be aware but not paranoid. Do NOT perform actions based on something like you describe in your question. Your AV software SHOULD have detected something - though it may not perform such a detection until the latest AV reference data has been installed.

Unless you are sure that any action you take is valid, make a careful assessment of such action.

In the example you give, I would NOT visit the (FBI?) web site and for what it's worth I have heard nothing about the site you mention. I would have thought that any FBI based web site would have a ".gov" suffix or be a location within the FBI web site such as "http://www.fbi.gov/about-us/faqs".

I hope this helps. Keep safe Happy

Kind regards


Collapse -
Have you done any research?
by chillmog / May 4, 2012 2:00 PM PDT

If you don't believe any of this, have you checked fbi.gov? I suggest that you do and check info link number 4.

Collapse -
Don't listen to these doomsayers.
by bigbear639 / May 4, 2012 2:06 PM PDT

This can harm your computer and make it useless. You can call your local FBI ofice and they will confirm it. The website is lso legitimate and has been posted by News organizations, TV Stations and featured on NBC, CBS and CNN. Those here telling you to ignore it may be members of that group or just think it is funny to have your computer shut down.

Collapse -
FWIW: The site you suggested not to visit can be found at..
by Carol~ Forum moderator / May 4, 2012 2:30 PM PDT

The below FBI site which references the DNS Changer Working Group ( http://www.dcwg.org/ ) as mentioned by the original poster, can be found here:


Here's another from the FBI on the subject: http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

"The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham."

With all due respect..

Collapse -
OK, for the sake of the exercise....

Ok, for "research purposes" and the sake of completeness I visited the site. http://www.dns-ok.us/

This served to prove my point, my computer is not infected. I did not expect it to be infected. My computer is effectively invisible on the net. Use the web site I provided in my first message to check your own computer if you wish.

*IF* the web site had been a scam (I know it's not), the text below (from their web site) does nothing to help the situation. A scam site could just as easily use this or similar wording and play havoc with someone's computer, hence my comment I would NOT visit the site.

"For example, the http://www.dns-ok.us/ will state if you are or are not infected (see below).

No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
No changes are performed on your computer! Nothing is changed on your computer when you use sites like http://www.dns-ok.us/.
No scanning! The "are you infected with DNS Changer" tool does not need to scan your computer."


I did not suggest to anyone they should not visit the site - that is their own choice. I did say I would not visit the site, for reasons already given.

Collapse -
@Peter Sanders
by btljooz / May 5, 2012 7:49 AM PDT


I totally disagree with the advice that you give within the particular context and environment of this question. You are obviously an advanced power user of computers. While the advise you give may be appropriate for other advanced power users, it truly is not for the users amongst us who are not quite as advanced. And before you go off at me, I practice some of the same techniques that you do. But, I know how to mitigate what I do the same as you do. I just don't suggest to others that they do these things if they are not advanced enough to deal with any consequences they may face by following the practices of a more advanced individual such as you or I. We truly don't know if others in this, or any forum, are as savvy as we are do we? Now, we both know that there ways to see if a website is safe before we click on it (which a subject covered elsewhere here in CNet and on the web). 'nuff said.

Collapse -
Wrong link...
by btljooz / May 5, 2012 8:00 AM PDT
In reply to: @Peter Sanders


I have flagged this post, myself, asking the mods to remove it because the link I pasted ileads to the wrong place (NOT malicious, just wrong). I meant to direct readers to an article by the name of "How To Check If a Website Is Safe" at this URL: http://www.brighthub.com/computing/smb-security/articles/31108.aspx

If the mods choose to delete that post as asked, fine. They may also delete this one if they want.

Please accept my apologies. Blush

Collapse -
You're fine
by MarkFlax Forum moderator / May 5, 2012 9:06 PM PDT
In reply to: Wrong link...

Since you have replied to your own post with your preferred link that's OK.


Collapse -
Thanks, Mark
by btljooz / May 6, 2012 2:10 AM PDT
In reply to: You're fine

.....But I still feel pretty darned stoopid[sic]. LOL!? Blush

Collapse -
Just in Case - Don't forget to Back Up Your Data

Hi Barbara,

There are and have been so many viruses, malware, spyware, rogue security infections and so on we could never begin to count them all. I once cleaned a computer that had over 2,000 infections!!! My advice to the owner was simple. It was time to reinstall Windows and get a fresh start.

Don't let anyone tell you you're foolish or paranoid because you're concerned about your computer becoming infected by some scumbag trying to make money off of honest people. It happens every day and its a big industry. You might call it the dirty underbelly of the Internet. Fortunately, we have some safeguards we can use to protect our computers from any permanent damage these anomalies might bring for us to bear.

First and foremost, if you have data which you consider important you MUST BACK IT UP. The hardware to backup your data is far too inexpensive not to have it. Most important data can be backed up on 1 or 2 DVD disks if you have a DVD burner. If not, a simple 8GB Flash drive could do the job as well. Your pictures, your documents and your music are the items most frequently backed up. However, I always recommend that my customers use the features provided by Windows to back up an image of their system as well as the data on an external hard drive. The Windows Backup feature also allows you to use DVDs or CDs to accomplish this task.

Once you data is backed up, you can rest assured that whatever happens, your data is safe. Next, you should always make sure your Windows Firewall is turned on. If it isn't, Windows will remind you frequently that you have a security problem and take you to where you need to go to fix it.

You should also keep an updated version of some sort of Internet Security running. I usually recommend AVG or Norton Internet Security. These programs will keep watch for you and usually catch any unscrupulous activity before it can do any damage to your system. Remember - the best time to guard against security threats to your computer is before you have a problem. Solving these issues after a computer is infected can range from really easy to extremely complex.

As far as the information I've read leading up to my post here, I'm going to repeat what I just said. Back up your data and keep your computer secure BEFORE these type of issues develop. If you want to check to see if your computer is using one of these Rogue DNS Servers, you should review the PDF document provided by the FBI that addresses this issue specifically. This is the correct URL:


This is a legitimate website. I have reviewed all of the information on this site and it is accurate. If you don't feel comfortable trying to do this on your own, you should seek the assistance of a professional like me who removes viruses and malware for a living. Because of the attention this malware has raised, most computer shops should readily be able to quickly determine if your computer is infected.

But Wait!!!
There's More.

This particular malware was also designed to attack your ROUTER!!! According to the information available, the malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP's good DNS servers to rogue DNS servers now being operated by the United States Computer Emergency Readiness Team. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Therefore, if you never changed your log in information for your router from the standard (usually Admin & Password), you should do it soon. Check your IP Configuraiton to find the numerical address for your router, log on, and change the ubiquitous Admin Username and Password: Password to something more sensible. This should provide a more defensible posture for your router to fight off these kind of attacks.

By the way, the FBI also recommends you back up your data. Where have I heard that before???

I realize that we all want our computing experiences to be safe, secure, and most of all EASY. Unfortunately, as long as there is a way for people to make money by exploiting our internet activities, we'll need to spend a little extra time to make sure we're protected from catastrophic data loss.

Best of Luck Barbara

Collapse -
Good advice, but before backing up...
by rgjac / May 11, 2012 11:30 AM PDT

... Beware that you may be backing up an infection. If you clean up a computer after you back your files up, when you access your backup you may reinfect your computer, in case there is no real-time anti-malware protection running on the computer capable of detecting and blocking/eliminating the malware. That would be the case, for example, if you had to use specific tools to clean an infection, and your anti-virus alone wouldn't detect/clean it. Therefore, if you suspect your computer has malware, run anti-malware software before backing it up. Both are extremely important: backing up regularly and having regular anti-malware/anti-virus updates and scans.

Collapse -
dcwg.org instructions

I quite sure there are instructions on the dcwg.org website as to what to do should your computer be infected with any kind of virus

Collapse -
What is dcwg?
by 1Chris / July 6, 2012 1:03 PM PDT
In reply to: dcwg.org instructions

I saw an article that was very vague and not very helpful as far as what users can do. They make a casual mention of dcwg.org. Who's gonna hand their computer over to them when there's not even a hint as to who they are.

Collapse -
DNS Changer Working Group (DCWG)
by kimsland9 / July 6, 2012 9:30 PM PDT
In reply to: What is dcwg?

About [http://www.dcwg.org/aboutcontact/]

"The DNS Changer Working Group (DCWG) was created to help remediate Rove Digital's malicious DNS servers. The DCWG helps monitor DNS servers run by ISC, under court order, in the former Rove Digital colo space.

The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham."

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


Big screens for the big game

Still looking for the best TV deals ahead of Sunday's game? Here are our top three big screen picks.