Many times I am being ased what is the most dangerous type of the malware that can infect your computer?
Daily few hundreds are discovered "in the wild" and some of them make to the mainstream of thousands of PC's, but I think DNS Changer is one of the most malicious of them all.
I colaborated with Alfonso Barreiro from Tech Republic to provide short overview of the problem and solutions.
Please contact me for more information or if you think you are being affected by it.
If after visiting the site listed below your result is red not green /as pictured/, please contact me immediately as you will lose your Internet on July 9th.
The DNS Changer malware family silently replaces the Domain Name System (DNS) settings of the computers that it infects (both Windows PCs and Macs) with the addresses of the malicious servers and routers (yes, small office/home office routers that were still using their default admin usernames and passwords). Affected users then would be directed to sites that served malware, spam or large advertisements when they tried to go to popular websites such as Amazon, iTunes and Netflix. Additionally, some variants of the malware blocked access to anti-malware and operating system update sites to prevent its removal. The operators of this botnet would receive advertising revenues when the pages were displayed or clicked on, generating them over $14 million in fees.
Due to the potential impact the removal of these DNS servers would have on millions of users, the FBI had the malicious servers replaced with machines operated by the Internet Systems Consortium, a public benefit non-profit organization, to give affected users time to clean their machines. Originally these temporary servers were to be shut down in March, but the FBI obtained a court order authorizing an extension because of the large number of computers still affected. The new deadline is July 9, giving more time to those still infected to fix their computers. As of March, the infected still included 94 of all Fortune 500 companies and three out of 55 major government entities, according to IID (Internet Identity), a provider of technology and services.
How do I check if I’m infected?
If you are a network admin or IT pro, and you are pretty confident your organization is in the clear, you still may want to share these instructions with your users so that they are aware that their home systems could be infected and so that they can perform the self-checks.
Both the FBI and the DNS Changer Working Group have provided detailed step-by-step instructions for manually checking Windows XP, Windows 7 and Mac OS X computers for infection. Essentially, if your DNS servers listed include one or more of the addresses in the following list, your computer might have been infected:
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
18.104.22.168 through 22.214.171.124
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
18.104.22.168 through 22.214.171.124
If your computer checks out okay, you should also check your SOHO router settings. Consult your product documentation on how to access your router settings and compare its DNS servers to those on the list above. If your router is affected, a computer on your network is likely infected with the malware.
There are also several self check tools that can help check your machine. One such tool is provided by the DNS Changer Working Group athttp://www.dns-ok.us/. This site will display an image with a red background if the machine or router is infected. On a clean machine, it will be a green background:
Depending on your organizations’ network configuration, you could set up alerts when machines from your internal network attempt to reach any of the listed addresses or you can block them outright. Be careful if you opt to block them though, as any infected machine will essentially lose its Internet connectivity since they won’t be able to resolve any Internet server name they attempt to reach. Of course, this will also be a big clue that something is wrong, if the support phone lines fire up on July 9 with users reporting mysterious Internet outages!
I found an infection! How do I fix it?
As with detection, there are also a number of tools available to fix an infection. Since the DNS Changer was delivered through different mechanisms over the years, some infections may be more difficult to remove than others. In some extreme cases, only a full reinstall of the operating system will ensure a successful repair. Some removal tools available include:
Kaspersky Labs TDSSKiller
Microsoft Safety Scanner
Trend Micro Housecall
Avira DNS Repair Tool
This is by no means a complete list; most anti-malware companies should be able to detect this particular threat. But be aware that your mileage may vary. DNS Changer was also part of some web exploitation kits and other types of malware (backdoors, keyloggers, etc.) might have hitched a ride and complicated the removal process. If you have an affected router, you should also change its default admin password to something else (and don’t use an easily guessable password - it will be only a matter of time before someone else tries a similar attack).
What if my machine remains infected after the deadline?
Machines that remain infected or are served by an affected router after the temporary servers are removed will, for all intents and purposes, lose their Internet connectivity. How to fix it will remain the same, but with the added wrinkle that you will probably need a second, clean machine with Internet access for diagnostics and to obtain removal tools.
Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.
About Alfonso Barreiro
Alfonso is a technology specialist with experience in multiple IT roles with the latest one being in information security.
Your Pc Surgeon is local tech consulting firm specialising in new systems, networks and technology implementation for indyviduals and small businesses.