If the replaced DNSChanger servers don’t get another deadline extension, more than 500,000 computers may not be able to reach their configured DNS service after Monday, July 9, 2012. In other words, it will be practically impossible for the users of those computers to surf the Internet using human friendly domain names like http://www.eset.com. That’s right, many of the systems that were infected by DNSChanger still have the DNS (Domain Name Service) settings that were altered by the malware, even when the malware itself has been removed.
So, what exactly is DNSChanger?
If you have no idea what I am talking about, take a quick peek at one of our previously published posts:
- Time to check your DNS settings?
- DNS Changer (re)lived, new deadline: 9 July 2012!
- DNSChanger ‘temporary’ DNS servers go dark soon: is your computer really fixed?
Which countries had the most infections?
How can you find out whether your system was affected?
How can you recover from it?
We’ve been seeing numerous comments posted in the last day or so to our recent blogs on the imminent deactivation of the clean DNSChanger server that infected systems will still be accessing. As Peter Stancik has already pointed out, this means that tens or hundreds of thousands of people will effectively, from Monday, not be able to access the internet. Clearly, there are many people who are concerned and in some cases confused about the implications. Rather than try to recycle all the advice that’s already been given, I’m going to give you a list of resources and a brief answer to some of the most common questions. I know it’s rather close to the shutdown, but if this helps a few more people understand the problem and maybe even avoid it, that’s all to the good.
How do I know if I’m infected?
Competent AV should give you a clue. If you don’t have it, or are not sure that that it’s working properly, you could try ESET’s online scanner for Windows.
Is my computer protected?
Conveniently, ESET has provided advice for its customers on whether they are fully protected. The gist is this:
- ESET products detect and remove DNSChanger variants. [And so, of course, do most reputable commercial products: DH.] The problem is that when AV disinfects an infection (any infection), it can’t always restore the system to exactly the state it was in before the infection, and it’s possible for a disinfected system still to be using the server that’s about to be turned off.
- For this reason, it’s only sensible to take what precautions you can to ensure that your DNS settings are correct.
The ESET alert recommends that you use the following free ESET-verified DNS check from one of the following websites:
Of course, there are other sites and utilities that are intended to help with this, but ESET researchers aren’t in a position to verify them all in all possible scenarios. Sometimes they have to sleep.
So if those sites say I’m clear, can I trust them?
Not completely. the US site actually warns you of one potential scenario where it can’t diagnose infection (rather than DNS poisoning) on an individual system. And as the European site makes clear, what is happening is that the site checks your IP address, operating system, and browser against an infection-specific database. If your system checks out against the IP addresses Cameron Camp listed here, that doesn’t mean you aren’t infected by something. It might not even mean that your DNS settings aren’t compromised: only that the IP address in that list wasn’t found. Actually, Cameron’s advice on checking your own DNS settings might give you a start on dealing with that scenario, but if you think you have a problem with other DNS-poisoning malware, you’re best-off calling for expert local help unless you know for sure what you’re doing.
What do I do if I have an infection?
ESET have thought of that, too: KB Article: I think my computer is infected with DNS Changer, how do I fix it?
What about home router problems?
DNSChanger can compromise some home routers: see the FBI’s comprehensive document here. Neither they nor I can give one-size-fits-all advice on what to do if you suspect a compromise. Effective advice would be product-specific, and you probably need to contact the manufacturer.
Do you have more information?
OK, I’m lying about that being an FAQ. When people ask about issues like this, they don’t usually want detailed information, they want someone to give them a simple fix anyone can implement at the click of a button. Sometimes, though, it’s better to endure the headache and make sure you understand the issue properly, especially if you find yourself in a position where the straightforward advice doesn’t seem to fit your case. That way, if you do have to call for help, you have more chance of asking the right question.
Hat tip to Stephen Cobb for pointing out on Twitter just how many relevant articles ESET has published: http://blog.eset.com/?s=dns+changer.
For more information from the FBI, who’ve kind of taken ownership of the whole issue for obvious reasons, see this article and the links it contains.
The DNS Changer Working Group (DCWG) also has lots of information and links.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow