How to detect and fix a machine infected with DNSChanger

On Mac systems open the Network system preferences and for each network service (Wi-Fi, Ethernet, Bluetooth, etc.), select the service and then click the “Advanced” button. Follow this by selecting the “DNS” tab and making note of the DNS servers listed. You can also do this in the Terminal by first running the following command:

Check this location for all network connections to see the DNS configuration in OS X (click for larger view).Photo by Screenshot by Topher Kessler/CNET

networksetup -listallnetworkservices

After this command is run, next run the following command on each of the listed names (be sure to remove any asterisks from in front of the names, and ensure the names are in quotes if there are any spaces in them):

networksetup -getdnsservers “SERVICE NAME”

Repeat this command for all listed services (Especially Ethernet and Wi-Fi connections) to list all configured DNS servers.

On a Windows machine (including any of those you may have installed in a virtual machine), you can open the command-line tool (select “Run” from the Start menu and enter “cmd,” or in Windows 7 select “All Programs” and then choose the command line from the Accessories folder). In the command line, run the following command to list all network interface information, including configured DNS server IP addresses:

Windows DNS server settings for all interfaces can be seen in its command line (click for larger view).Photo by Screenshot by Topher Kessler/CNET

ipconfig /all

Once you have your system’s DNS servers listed, enter them into the FBI’s DNS checker Web page to see if they are identified as part of the rogue DNS network. In addition to manually looking up and checking your DNS settings, a number of Web services have popped up that will test your system for the DNSChanger malware. The DNSChanger Working Group has compiled a list of many of these services, which you can use to test your system (for those in the U.S., you can go to dns-ok.us to test your connection).

If these tests come up clean, then you have nothing to worry about; however, if they give you any warnings, then you can use an anti-malware scanner to check for and remove the DNSChanger malware. Given that the malware was abruptly halted in November 2011, there’s been ample time for security companies to update their anti-malware definitions to include all variants of DNSChanger. If you have a malware scanner and have not used it recently, then be sure to launch and update it fully, followed by performing a full scan of your system. Do this for every PC and Mac on your network, and in addition be sure to check your router’s settings to see if the DNS settings there are proper ones from your ISP or are rogue DNS settings.

If your router or computer is not showing any valid DNS server addresses after you have removed the malware, and your system is unable to connect to Internet services, then you might try configuring your system to use a public DNS service, such as those from OpenDNS and Google, by entering the following IP addresses into your system’s network settings:

8.8.8.8
8.8.4.4
208.67.222.222
208.67.220.220

If after Monday you find you can no longer access the Internet, then it’s likely your system or network router is still configured with the rogue DNS servers and you will need to again attempt to detect and remove the malware from your systems. Luckily the malware is not viral in nature so it will not self-propagate and automatically re-infect systems. Therefore, once removed and once users have set up valid DNS servers on their systems, then the affected computers should have proper access to the Internet.

Background
DNS is the “Domain Name System,” which acts like the Internet’s phone book and translates human-friendly URLs such as “www.cnet.com” into their respective IP addresses that computers and routers use to establish connections. Since DNS is the interface between the typed URL and the targeted server, the crime ring created its own DNS network that would in large part work normally, but would also allow the ring to arbitrarily redirect the traffic for specific URLs to fake Web sites for the purposes of stealing personal information or getting people to click on ads.

Leave a Reply

Your email address will not be published. Required fields are marked *