DNSChanger mini-FAQ


I've been seeing numerous comments posted in the last day or so to our recent blogs on the imminent deactivation of the clean DNSChanger server that infected systems will still be accessing. As Peter Stancik has already pointed out, this means that tens or hundreds of thousands of people will effectively, from Monday, not be able to access the internet. Clearly, there are many people who are concerned and in some cases confused about the implications. Rather than try to recycle all the advice that's already been given, I'm going to give you a list of resources and a brief answer to some of the most common questions. I know it's rather close to the shutdown, but if this helps a few more people understand the problem and maybe even avoid it, that's all to the good.

How do I know if I'm infected?

Competent AV should give you a clue. If you don't have it, or are not sure that that it's working properly, you could try ESET's online scanner for Windows.

Is my computer protected?

Conveniently, ESET has provided advice for its customers on whether they are fully protected. The gist is this:

  • ESET products detect and remove DNSChanger variants. [And so, of course, do most reputable commercial products: DH.] The problem is that when AV disinfects an infection (any infection), it can't always restore the system to exactly the state it was in before the infection, and it's possible for a disinfected system still to be using the server that's about to be turned off.
  • For this reason, it's only sensible to take what precautions you can to ensure that your DNS settings are correct.

The ESET alert recommends that you use the following free ESET-verified DNS check from one of the following websites:

Of course, there are other sites and utilities that are intended to help with this, but ESET researchers aren't in a position to verify them all in all possible scenarios. Sometimes they have to sleep.

So if those sites say I'm clear, can I trust them?

Not completely. the US site actually warns you of one potential scenario where it can't diagnose infection  (rather than DNS poisoning) on an individual system. And as the European site makes clear, what is happening is that the site checks your IP address, operating system, and browser against an infection-specific database. If your system checks out against the IP addresses Cameron Camp listed here, that doesn't mean you aren't infected by something. It might not even mean that your DNS settings aren't compromised: only that the IP address in that list wasn't found. Actually, Cameron's advice on checking your own DNS settings might give you a start on dealing with that scenario, but if you think you have a problem with other DNS-poisoning malware, you're best-off calling for expert local help unless you know for sure what you're doing.

What do I do if I have an infection?

ESET have thought of that, too: KB Article: I think my computer is infected with DNS Changer, how do I fix it?

What about home router problems?

DNSChanger can compromise some home routers: see the FBI's comprehensive document here. Neither they nor I can give one-size-fits-all advice on what to do if you suspect a compromise. Effective advice would be product-specific, and you probably need to contact the manufacturer.

Do you have more information?

 OK, I'm lying about that being an FAQ. When people ask about issues like this, they don't usually want detailed information, they want someone to give them a simple fix anyone can implement at the click of a button. Sometimes, though, it's better to endure the headache and make sure you understand the issue properly, especially if you find yourself in a position where the straightforward advice doesn't seem to fit your case. That way, if you do have to call for help, you have more chance of asking the right question.

Hat tip to Stephen Cobb for pointing out on Twitter just how many relevant articles ESET has published: http://blog.eset.com/?s=dns+changer.

For more information from the FBI, who've kind of taken ownership of the whole issue for obvious reasons, see this article and the links it contains.

The DNS Changer Working Group (DCWG) also has lots of information and links.

ESET Senior Research Fellow

Author David Harley, ESET

  • Abigail Mikuszewski

    do not understand any of this. not too smart when it comes to computers. i call it computer stupid=thats me, i'm 50 and have to ask kids and even grandkids how to get on different things. i can read, but comprehention not there. Please write me and explain in as much detail as possible.  address is [removed to protect privacy]. bound to get me some where. i'm a lil lost without computer and get highly stressed if i cant reach my family in NY and N>C> and around Fl. have to have some way of communicateing with them.  thank you for your time in reading this and May GOD be there to help with any problems.     Treely Abigail Mikuszewski.

    • David Harley

      [Also sent by email]
      Abigail, I’ve removed your contact details from this post as publishing them here might expose you to all sorts of invasions of privacy. I’m afraid that even if I lived in the US I wouldn’t be able to get a letter to you in time to avoid this problem, if it in fact affects you, which is only possible if you have, in fact, been infected at some point by this particular malware, and even then isn’t an inevitable result. (The number of people who will be affected is probably in tens or even hundreds of thousands, but that does mean that there are many, many more people who won’t be affected.) In any case, it sounds to me as if what you need is information clearly expressed and specifically based on your own system, not more detail. As researchers/bloggers, we’re not usually in the best position to give one-to-one support, but I can give you a little very generic advice.

      If you have good anti-virus installed and it’s working properly, it’s very unlikely that you were ever infected. I can’t advise you on how to check whatever anti-virus you do use, but the vendor or its distributor should be able to advise you on that, and may even help you check your DNS settings. If that’s a problem (or even if you just want confirmation that you aren’t infected) you could try the ESET online scanner: just follow the directions at http://www.eset.com/us/online-scanner/. If you don’t have the infection, you probably don’t have the DNS problem.

      The real problem for people whose systems have been infected by DNSchanger is that even if the infection is removed, their DNS settings may not have been fixed, and that means that their connection to the internet is partly dependent on a computer controlled by the FBI, which is about to shut it down. If you’re unable to follow the instructions in Cameron’s blog at http://blog.eset.com/2012/05/31/dnschanger-%e2%80%98temporary%e2%80%99-dns-servers-going-dark-soon-how-to-check-your-computer on how to check DNS settings, I really think you’d be best off getting help locally or from one of your friends or relations. Even if it means paying a technician, it might be worth doing that for the reassurance. I’d certainly suggest that you do so if you have reason to think that you _have_ been infected by DNSchanger.

      Sorry I can’t offer more specific advice. If I lived in your neighbourhood, I’d offer to pop round, but I’m afraid I don’t even live in the US (I assume that’s where you live).

Follow us

Copyright © 2017 ESET, All Rights Reserved.