DNSChanger temporary’ DNS servers go dark soon: is your computer really fixed?

DNSChanger, a piece of malware that re-routed vast swathes of Internet traffic through rogue DNS servers after users became infected, was shut down by the FBI late last year. But simply shutting down the servers altogether would have ‘broken’ many hundreds of thousands of computers still infected–rendering it difficult for them to get help via the Internet–so the FBI and ISC orchestrated a temporary fix, which is set to end on July 9th. This temporary fix has allowed infected computers to stay connected, but that’s coming to a close.

Now Google has rolled out a program to notify people when it detects that their computer is trying to reach those temporary DNS servers. If you use Google Search that will trigger the detection process and a message will appear saying that “you might be infected” if Google detects those temporary DNS servers. This mesage could be confusing because you might have thought you had disinfected your machine. So is it possible to have your computer only ‘halfway fixed?’

If, for example, you used a tool to remove the malware, would it necessarily restore the DNS settings you had before the infection, or would it just eliminate the infection and still leave your traffic re-directing to the soon-to-be-closed temporary DNS servers? If you want to check, you can open up your network interface settings (wired and/or wireless) and look at your DNS settings. While your Operating System may be different, on Windows 7 you can check it by viewing the Properties tab for your interface like this:

Then selecting IPv4 Properties from the next dialog box like:

Here you’ll see a tab for DNS settings like this:

If your system is set to “Obtain DNS server address automatically, this usually this means you’re okay, and that your DNS is getting its settings from your router/switch/access point. If your system is set to “Use the followng DNS server addresses” and you see entries for “Preferred DNS server” and “Alternate DNS server” make a note of those addresses and check them against the list below:

  • 77.67.83.1 – 77.67.83.254
  • 85.255.112.1 – 85.255.127.254
  • 67.210.0.1 – 67.210.15.254
  • 93.188.160.1 – 93.188.167.254
  • 213.109.64.1 – 213.109.79.254
  • 64.28.176.1 – 64.28.191.254

If your addresses are not in that list you should be fine. Another way to check is using nslookup, by opening up a command prompt (Windows 7: Start button -> Search programs and files -> type “cmd” and hit Enter) and then using nslookup like:

Notice my DNS server is 192.168.x.x – a non-publicly-routable address. Yours might vary a bit here, but 192.168.x.x addresses are very common on internal networks, as are 172.x.x.x and 10.x.x.x networks, so those are normal. Also you can see the last line showing the IP it thinks belongs to Google’s website. You can verify this by typing 173.194.79.106 (or whatever yours says, it will probably be different) directly into your browser and seeing if you see www.google.com, you should.

If, on the other hand, when you use nslookup you see any of the ranges of IP’s in the list above, that means you’ve got problems and need to fix your computer/router. If your router has been compromised, the effects can be more far-reaching because all the computers–including mobile devices which are Wi-Fi enabled–that are on your network will point to servers which soon won’t work, because your local DNS is directing them to places it shouldn’t. Don’t worry, there’s still time to fix it. You will need to follow the instructions for setting DNS in your router or Wi-Fi access point. If you don’t have easy access to those instructions and cannot find them on the device maker’s website, try this page at OpenDNS, a site that offers a wealth of free information on DNS settings (you may need to register to get to some of the information, but registration is free and in our experience they don’t spam you).

This may be a pain to fix but don’t wait, you need to get it fixed before the July 9th cutoff or devices on your network won’t be able to reach vast swaths of the Internet, making it difficult to get help online.

Author Cameron Camp, ESET

  • NA Campbell

    Just wanted to let you know you have a spelling error.      If you use Google Search that will trugger

    • David Harley

      Thanks. Fixed.

  • Nico

    Why would you cover the internal IP?

  • Stephen Cobb

    Thanks very for the catch NA Campbell, and for the fix Mr. Harley. I was going to pretend trugger was an AV industry term that combines trigger and an English swear word beginning with B, but it was indeed a typo. Perhaps there was also a Freudian slip in there somewhere as well because many AV experts and ISPs have mixed emotions about Google doing this type of alerting. My own mind is not made as to the net gain from this "feature" but I would be the first to admit that cleaning up after DNSChanger is an unprecedented challenge with no obvious quick fixes.

  • NA Campbell

    You are welcome Steven,take care,and keep up the great work. :)

  • NA Campbell

    oops! I mean Stephen,sorry see ya. :)

  • Ernesto

    Hi there! I'm using Linux but it's always interesting to read these news about suffering Windows-PC's.

  • Cameron Camp

    @Ernesto: Yeah, I use almost entirely Linux/BSD, but had to fire up Win7 for the article. Still I hate to see people getting scammed on any platform, so hopefully this will help the Windows folks check and avert nastiness :)

  • Tri

    How does this affect Mac computers?
    If Macs are affected, what is the procedure for fix.
    Thanks for your advice & help!

    • David Harley

      DNS changing malware for the Mac does exist. The exact procedure may vary according to which OS version you have, but essentially you would need to check System Preferences/Internet & Wireless/Network/ (you may need to check the Advanced settings too). It’s essentially the same for home users as Cameron describes the Windows settings, depending on how you connect to the Internet. If it’s set to use DHCP, as is normal for residential users, the DNS server address is blank or shows a private (internal) IP address (more often than not this will start with 192.168).

  • Gar Mill

    Why could you not simply do a hard reset on your router and flush the virus while getting a new valid DNS? Just asking.
    Gar

  • Mollie Steward

    I have your NOD32 Antivirus.  Thought I'd see what advice/info you had on the DNS problem.  I THINK I'm ok, but want to be sure.  When I went to check those network/internet settings as you describe with Window 7 I could never get to that IP4 box – none of my tabs or anything matched any of your choices.  I'm using Windows 7 Home Premium.
    How do I follow?
    Thanks!

  • Alex Santos

    In terms of the mac or any computer, just because your computer's DNS settings (an IP address) might be pointing to your router does not mean you have no issue. Your router can have the wrong settings. In other words your computer relies on the Router for DNS but if the DNS entries are incorrect you are still unsafe.
    The router should be checked as well.
    Furthermore, if the router is pointing to your ISPs DNS and their DNS is infected you will still get hit. The ISP has to doe their job to update their DNS server as well.
    Finally, it might be best to point your router to a different DNS like openDNS.com, they have never been attacked and are extremely credible. They even have a special DNS server that denies pages hosting porn and phishing from ever reaching your computer.
    In conclusion everything on your network should point to a reliable DNS service. If you trust your ISP then your Mac/PC can point to the router because it goes there by default. If you can't verify your ISP DNS is operating as it should and not infected point all devices to an alternate DNS.

  • dbpage

    According to the article, if your router is affected, the DNS lookup will be affected no matter what OS your PC or mobile device uses.

  • Tiffany

    How do I know i have been infected.  As a realtor we have been hacked several times but they wipe out everything with the emails so far.  how do I protect my self.  I am not a computer tech savey.  I do not trust very many of these sites due to people stealling info

  • Cameron Camp

    @Gar Mill: There is a good resource from the folks at OpenDNS at https://store.opendns.com/setup/router/ that might be helpful for folks looking into specific steps to check their routers, which all seem to be a bit different. Once you login to your router (if you feel comfortable doing that), you can either get your DNS settings from your ISP, or use something like the Google public ones to be sure…

  • Cameron Camp

    @Alex: Indeed it's a good idea to check your router, it may be beyond the skill of less experienced users, but the openDNS link should help a bit with checking specific routers…

  • Cameron Camp

    @Mollie: Yeah, it can get a bit confusing, you might try the old trusty simple version by doing: Windows 7: Start button -> Search programs and files -> type “cmd” and hit Enter, then type "nslookup" and comparing your settings to the black window in the article…

  • Richard

    will this virus affect Windows vista?

    • Stephen Cobb

      Yes Richard, it can affect computers running Windows Vista.

  • Mollie Steward

    Thanks, Cameron -
    I did the nslookup and it said wireless broadband router home and gave a 192.—- number.
    I think that should be ok – but I stil could never get that IP4 box you have – where is that???
    Thanks,
    Mollie

  • Brenda

    Cameron: Based on your information and instructions, I'm OK. Thank you! 

  • elia campos

    I really don't know a lot about  computers so i don't know if I'm safe or not please help i can not have my computer going dark thank you Elia Campos

    • David Harley

      Elia, we can’t really reach out to individuals to offer unspecified help. The best information I can give you unless you have specific questions is that if you can read this, you either don’t have the problem or your Internet provider has taken steps to stop you being dependent on a DNS Server which is no longer active.

  • thuhuyen

    Dear cameron: i have some question: if i were mater of area network , how doing to scan in my area net work have how many machine was infected? the tool used to scan to find it? with linux, and the with the OS for mobile phone and the device wireless other may be infected? the way?
     
     

  • Spaniard Blog

    Based by your Information my PC looks Good and not infected by that's Malware, and I using Internet Security on my PC, Thanks for make a Post about that. So I'am understand What is DNS Changer.. :)

     

  • jack

    I think you should double check if nslookup default server says unknown

  • FirliINA

    Can the dns changer infect tablets? Like iPad, and phones? Like blackberry?

    • David Harley

      The DNS-poisoning malware I’m aware of is mostly for Windows and occasionally OS X. Malware with a similar payload for another device would either be OS-specific or use a common app framework like Java. Not impossible, but no connection to this particular malware.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.