Final DNSChanger warning: 9th of July is cutoff date!

If the replaced DNSChanger servers don’t get another deadline extension, more than 500,000 computers may not be able to reach their configured DNS service after Monday, July 9, 2012.  In other words, it will be practically impossible for the users of those computers to surf the Internet using human friendly domain names like http://www.eset.com. That’s right, many of the systems that were infected by DNSChanger still have the DNS (Domain Name Service) settings that were altered by the malware, even when the malware itself has been removed.

DNSchanger stops Internet access

So, what exactly is DNSChanger?

If you have no idea what I am talking about, take a quick peek at one of our previously published posts:

Which countries had the most infections?

Courtesy of Shadowserver.org

 

How can you find out whether your system was affected?

Several web sites have been set up to provide a check-up service and additional information on the threat, such as dns-changer.eu or www.dns-ok.us.

How can you recover from it?

The malware can be completely removed from your computer using our free ESET Online Scanner and the system DNS can be re-set to use – for example – the Google Public DNS.

We’ve been seeing numerous comments posted in the last day or so to our recent blogs on the imminent deactivation of the clean DNSChanger server that infected systems will still be accessing. As Peter Stancik has already pointed out, this means that tens or hundreds of thousands of people will effectively, from Monday, not be able to access the internet. Clearly, there are many people who are concerned and in some cases confused about the implications. Rather than try to recycle all the advice that’s already been given, I’m going to give you a list of resources and a brief answer to some of the most common questions. I know it’s rather close to the shutdown, but if this helps a few more people understand the problem and maybe even avoid it, that’s all to the good.

How do I know if I’m infected?

Competent AV should give you a clue. If you don’t have it, or are not sure that that it’s working properly, you could try ESET’s online scanner for Windows.

Is my computer protected?

Conveniently, ESET has provided advice for its customers on whether they are fully protected. The gist is this:

  • ESET products detect and remove DNSChanger variants. [And so, of course, do most reputable commercial products: DH.] The problem is that when AV disinfects an infection (any infection), it can’t always restore the system to exactly the state it was in before the infection, and it’s possible for a disinfected system still to be using the server that’s about to be turned off.
  • For this reason, it’s only sensible to take what precautions you can to ensure that your DNS settings are correct.

The ESET alert recommends that you use the following free ESET-verified DNS check from one of the following websites:

Of course, there are other sites and utilities that are intended to help with this, but ESET researchers aren’t in a position to verify them all in all possible scenarios. Sometimes they have to sleep.

So if those sites say I’m clear, can I trust them?

Not completely. the US site actually warns you of one potential scenario where it can’t diagnose infection  (rather than DNS poisoning) on an individual system. And as the European site makes clear, what is happening is that the site checks your IP address, operating system, and browser against an infection-specific database. If your system checks out against the IP addresses Cameron Camp listed here, that doesn’t mean you aren’t infected by something. It might not even mean that your DNS settings aren’t compromised: only that the IP address in that list wasn’t found. Actually, Cameron’s advice on checking your own DNS settings might give you a start on dealing with that scenario, but if you think you have a problem with other DNS-poisoning malware, you’re best-off calling for expert local help unless you know for sure what you’re doing.

What do I do if I have an infection?

ESET have thought of that, too: KB Article: I think my computer is infected with DNS Changer, how do I fix it?

What about home router problems?

DNSChanger can compromise some home routers: see the FBI’s comprehensive document here. Neither they nor I can give one-size-fits-all advice on what to do if you suspect a compromise. Effective advice would be product-specific, and you probably need to contact the manufacturer.

Do you have more information?

OK, I’m lying about that being an FAQ. When people ask about issues like this, they don’t usually want detailed information, they want someone to give them a simple fix anyone can implement at the click of a button. Sometimes, though, it’s better to endure the headache and make sure you understand the issue properly, especially if you find yourself in a position where the straightforward advice doesn’t seem to fit your case. That way, if you do have to call for help, you have more chance of asking the right question.

Hat tip to Stephen Cobb for pointing out on Twitter just how many relevant articles ESET has published: http://blog.eset.com/?s=dns+changer.

For more information from the FBI, who’ve kind of taken ownership of the whole issue for obvious reasons, see this article and the links it contains.

The DNS Changer Working Group (DCWG) also has lots of information and links.


David Harley CITP FBCS CISSP

ESET Senior Research Fellow

Peter Stancik
Security Expert


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s