How to protect yourself from DNSChanger
Here's how to determine whether you're infected, and what to do if you are.
By Alex Wawro | PC World | Published: 16:31, 09 May 2012
In July the Internet Systems Consortium will permanently shut down DNS servers deployed to serve as temporary surrogates for rogue DNS servers shut down as part of Operation Ghost Click, an FBI operation that brought down an Estonian hacker ring last year. If your PC is one of the more than one million computers infected that carry DNSChanger you might unknowingly be relying on one of the FBI's temporary servers to access the internet, and if you don't eliminate DNSChanger from your PC before the FBI pulls the plug on its servers, you'll be left without internet access. Read on to learn how to discover whether you're infected with DNSChanger, and what you can do to eliminate it from your system.
How to tell whether DNSChanger has infected your PC
To figure out whether you've been infected with DNSChanger, just point your web browser to one of the (admittedly amateur-looking) DNSChanger Check-Up websites that internet security organisations maintain across the globe. The link above will take you to a DNS Changer Check-Up page in the United States that the DNS Changer Working Group maintains; if you live outside the US, you can consult the FBI's list of DNSChanger Check-Up websites to find an appropriate service for your region.
Unfortunately, if your router is infected, those websites will think that your PC is infected, even though it may be clean; worse, if your ISP redirects DNS traffic, your PC may appear to be clean even though your DNS settings may have been maliciously altered. If you want to be certain that your PC is free of DNSChanger malware, you need to manually look up the IP addresses of the DNS servers that your PC contacts to resolve domain names when browsing the web.
Related Articles on Techworld
To look up which DNS servers your Windows 7 PC is using, open your Start menu and either run the Command Prompt application or type cmd in the Search field. Once you have a command prompt open, type ipconfig /allcompartments /all at the command line and press Enter. A big block of text should appear; scroll through it until you see a line that says 'DNS Servers', and copy down the string(s) of numbers that follow (there may be more than one string here, meaning that your PC accesses more than one DNS server).
It's even easier for Mac OS X users to determine the IP addresses of the DNS servers that their PC uses. Open the Apple menu (usually located in the upper-left corner of the screen) and select System Preferences. Next, click the Network icon to open your Network Settings menu; navigate to Advanced Settings, and copy down the string(s) of numbers listed in the DNS Server box.
Once you know the IP addresses of the DNS servers that your PC is using, head over to the FBI DNSChanger website and enter those addresses into the search box. Press the big blue Check Your DNS button, and the FBI's software will tell you whether your PC is using rogue DNS servers to access the internet.
What to do if your PC is infected by DNSChanger
If your PC is infected with DNSChanger, you'll have to do some intensive work to get rid of it. DNSChanger is a powerful rootkit that does more than just alter DNS settings; if you've been infected with DNSChanger, your safest course is to back up your important data, reformat your hard drive(s), and reinstall your operating system.
If you're leery of reformatting your entire PC, you can try rooting out the DNSChanger rootkit with a free rootkit removal utility such as Kaspersky Labs' TDSSKiller. As the name implies, Kaspersky released the program to help PC owners seek and destroy the TDSS rootkit malware, but it also detects and attempts to eliminate DNSChanger and many other forms of rootkits.
If the infected PC is on a network, you'll have to check every other PC on the network for signs of infection, and then check your router's settings to ensure that it isn't affected (DNSChanger is programmed to change router DNS settings automatically, using the default usernames and passwords of most modern routers). To do this, copy down your router's DNS server IP addresses and check them against the FBI's IP address database mentioned above. If your router is infected, reset the router and confirm that all network settings are restored to the manufacturer's defaults.
When you're done, repeat the steps outlined above to verify that your PC is no longer infected with DNSChanger. With all traces of this vicious malware eliminated, you should have nothing to fear when the FBI shuts down the ISC's temporary DNS servers in July.