DNSChanger, a piece of malware that re-routed vast swaths of Internet traffic through rogue DNS servers after users became infected, was shut down by the FBI late last year. But simply shutting down the servers altogether would have ‘broken’ many hundreds of thousands of computers still infected–rendering it difficult for them to get help via the Internet–so the FBI and ISC orchestrated a temporary fix, which is set to end on July 9th. This temporary fix has allowed infected computers to stay connected, but that’s coming to a close.
Now Google has rolled out a program to notify people when it detects that their computer is trying to reach those temporary DNS servers. If you use Google Search that will trigger the detection process and a message will appear saying that “you might be infected” if Google detects those temporary DNS servers. This mesage could be confusing because you might have thought you had disinfected your machine. So is it possible to have your computer only ‘halfway fixed?’
If, for example, you used a tool to remove the malware, would it necessarily restore the DNS settings you had before the infection, or would it just eliminate the infection and still leave your traffic re-directing to the soon-to-be-closed temporary DNS servers? If you want to check, you can open up your network interface settings (wired and/or wireless) and look at your DNS settings. While your Operating System may be different, on Windows 7 you can check it by viewing the Properties tab for your interface like this:
Then selecting IPv4 Properties from the next dialog box like:
Here you’ll see a tab for DNS settings like this:
If your system is set to “Obtain DNS server address automatically, this usually this means you’re okay, and that your DNS is getting its settings from your router/switch/access point. If your system is set to “Use the followng DNS server addresses” and you see entries for “Preferred DNS server” and “Alternate DNS server” make a note of those addresses and check them against the list below:
- 220.127.116.11 – 18.104.22.168
- 22.214.171.124 – 126.96.36.199
- 188.8.131.52 – 184.108.40.206
- 220.127.116.11 – 18.104.22.168
- 22.214.171.124 – 126.96.36.199
- 188.8.131.52 – 184.108.40.206
If your addresses are not in that list you should be fine. Another way to check is using nslookup, by opening up a command prompt (Windows 7: Start button -> Search programs and files -> type “cmd” and hit Enter) and then using nslookup like:
Notice my DNS server is 192.168.x.x – a non-publicly-routable address. Yours might vary a bit here, but 192.168.x.x addresses are very common on internal networks, as are 172.x.x.x and 10.x.x.x networks, so those are normal. Also you can see the last line showing the IP it thinks belongs to Google’s website. You can verify this by typing 220.127.116.11 (or whatever yours says, it will probably be different) directly into your browser and seeing if you see http://www.google.com, you should.
If, on the other hand, when you use nslookup you see any of the ranges of IP’s in the list above, that means you’ve got problems and need to fix your computer/router. If your router has been compromised, the effects can be more far-reaching because all the computers–including mobile devices which are Wi-Fi enabled–that are on your network will point to servers which soon won’t work, because your local DNS is directing them to places it shouldn’t. Don’t worry, there’s still time to fix it. You will need to follow the instructions for setting DNS in your router or Wi-Fi access point. If you don’t have easy access to those instructions and cannot find them on the device maker’s website, try this page at OpenDNS, a site that offers a wealth of free information on DNS settings (you may need to register to get to some of the information, but registration is free and in our experience they don’t spam you).
This may be a pain to fix but don’t wait, you need to get it fixed before the July 9th cutoff or devices on your network won’t be able to reach vast swaths of the Internet, making it difficult to get help online.
I think that my computer is infected with DNS Changer, what should I do?
- Your ESET Security Product has detected a DNS Changer infection.
- You suspect that your computer might be infected with DNS Changer due to hyperlinks being incorrectly redirected, frequent pop-ups or slow browser performance.
Users who have ESET Smart Security or NOD32 Antivirus installed on their computers and receive regular virus signature database updates will be protected from infection by DNS Changer, however there is still the concern that an infection removed by ESET may have made changes to system files and DNS records.
To verify that your DNS records have not been affected by this malware, we recommend that you check your DNS settings by visiting the following website: http://www.dns-ok.us/,
If you see a green background and the message “DNS Resolution=Green,” your computer is not infected with the DNS Changer malware.
If you see a red background and the message “DNS Resolution=Red,” contact ESET Customer Care.
The FBI are building a case against the group responsible for the DNS Changer malware. If you have a case to report, visit http://www.dcwg.org to help the security community in their fight against DNS Changer and other malware.