Notifying DNSChanger Victims

June 4, 2012 at 12:06pm

Facebook's Product Security Team is working constantly to protect users from malicious content and malware like viruses, trojans, and worms. The Product Security Team achieves this goal by building tools, working with Facebook engineers to build safer products, and by partnering with computer security teams within other companies and organizations. A recent malware threat our team has been fighting is called DNSChanger.


This family of malware operated as a botnet, infecting millions of computers by manipulating search results, displaying advertisements for fake or malicious products, and directing victims to malicious websites.


In 2011, an international group of law enforcement agencies arrested the group operating DNSChanger malware botnets. However, many computers impacted by the malware remain infected and are currently using interim systems to access the internet. Cleaning up the infected computers presents a challenge to the computer security industry. 


As a result of the arrests, all computers still infected with DNSChanger malware will no longer be able to access websites, email, chat, or social networking sites like Facebook, after July 9, 2012 when these temporary systems will be disabled.


What We Are Doing


Earlier this year, Facebook joined the clean up effort by participating in [ DNSChanger Working Group], which is comprised of computer security experts from the public, private, and academic sectors. As a result of our work with the group, Facebook is now able to notify users likely infected with DNSChanger malware and direct them to instructions on how to clean their computer or networks.


Affected Facebook users will be shown a warning message like the one below:



Why We Are Doing It


Facebook's security teams primary concern is keeping users safe. By partnering with the DNSChanger Working Group, Facebook is able to raise awareness about this particular malware. Of particular concern to everyone, is preventing users of infected computers from losing their access to the Internet on July 9, 2012. The Internet has become an essential tools for most people's daily lives, but we at Facebook and other computer security organizations know we must keep it safe for that to continue. 


What Is DNSChanger Malware?


When DNSChanger malware infects a computer, it performs numerous malicious actions. The most serious action is known as DNS manipulation.


DNS stands for Domain Name System. It is a core Internet technology used to convert human readable domain names -- -- into an IP address -- -- a computer can understand. Most computers make this conversion by talking to a DNS server. Most of the world's computers use a DNS server provided by their Internet Service Provider (ISP).


DNSChanger malware interferes with this process by telling the infected computer to use a DNS server owned by criminals. The criminals use this rogue DNS server to direct your computer to malicious, instead of legitimate, websites.


How To Clean


Facebook users who are concerned their computer or network might be infected with DNSChanger malware can easily check by visiting the DNSChanger Working Group'sDetection Page. If your computer or network is infected, the working group's webpage has detailed instructions on how to clean your computer.


You can find more information on keeping your computer safe on the Facebook Security Page or in our Help Center.