The Internet can be a very dangerous place to place anymore. There are more malicious software (malware) threats out there than you can shake a stick at. The DNS Changer Trojan is one that needs to be mentioned right now. If you own or use a PC infected with the most recent variation of the DNS Changer, you may lose your ability to access the Internet on March 8, 2012.
What does DNS stand for?
DNS stands for Domain Name System. This is a system of electronic devices known as routers which locate websites you want to access by their common name, then translate those names into the numeric codes assigned to the web servers hosting those domains (websites). Every website is hosted on a computer that has a numeric address, known as an IP address, assigned to it. The DNS system searches and drills down through multiple layers of routing details until a numeric match is found for the website domain name you are trying to access.
For instance, my website, wizcrafts.net, is currently hosted on a web server belonging to Bluehost, with an assigned IP address of 66.147.244.184. It is reached after requests are routed from your home or business connection, through any required intermediaries, until the request ends up in Utah, at the facility owned by the hosting company. There, the internal routers sort out which one of hundreds of server in their facility is actually hosting my humble website. All this happens in the blink of your eye!
It's not just websites that use the DNS system. Your very own Internet connection is also part of that system. You get your Internet connection from a local Internet Service Provider (ISP), via a modem, or Wi-Fi, or cellular network, or hard-wired wide area network. Your connection has an IP address assigned to you by your ISP. When you access the Internet to browse websites you are usually going to use DNS servers belonging to your ISP. These DNS servers relay your requests for websites, or other Internet resources, to various upstream Domain Name Servers around the world.
When you connect to your ISP, their system assigns their primary and secondary (in case one fails) DNS servers to you, to use for accessing the Web. You trust those DNS servers to faithfully relay your requests to the desired target websites, or other resources (newsgroups, IRC, IM, email, ftp locations, online storage, etc). But, what if somehow, those good DNS servers belonging to your ISP were replaced with rogue servers owned by cyber-criminals?
Hijacked DNS Settings
Cyber-criminals are always devising new ways to infect computers for monetary gain. One of the ways they have found to monetize infected PCs is by installing Trojans that bore into the software that controls one's Internet access, to change the location of the primary and secondary DNS servers used by that machine. Recently, acting on an International warrant from the US Department Of Justice and the FBI, police authorities in Estonia arrested a group of conspirators (Rove Digital) who were operating a huge botnet of computers they had infected with the DNS Changer malware. Once installed, this malware redirected all Internet IP and domain name requests to DNS servers under the control of the Rove gang. In effect, they acted as middle-men for every Internet resource requested and used the unwitting victims browsers to activate clicks on advertisements on intermediary landing pages under their control. They also set up phishing pages to steal login credentials to victim's banks and money market accounts.
Ghosts, Clicks and DNS Servers
The operation that resulted in the arrests in Estonia is known as Operation Ghost Click. Authorities in the USA and Europe seized the servers and routers belonging to the DNS Changer crime gang. Then they realized that they had a big problem on their hands. About 4 million infected PCs were still phoning home, to a DNS server belonging to the DNS Changer gang, every time their owners accessed the Internet. Shutting down the servers at that IP address would break the Internet connectivity of 4 million victims of the DNS Changer malware. So they devised themselves a plan to keep the servers running, but cleansed them of malware and advertising banners that the criminals were affiliated with. The cleaned DNS servers are being operated under authority of the German Government.
Shutdown time is approaching
Unfortunately, in the first week of January, 2012, the German Federal Office for Information Security issued a press release stating that the converted DNS servers will be shut down on March 8. When that happens all PCs that are still infected with the DNS Changer will be unable to browse the Internet, or do email, etc. This is because the requests to translate requests for domain names will not be transferred to the rest of the DNS system. The link will be broken until the infected machines are disinfected and the correct DNS server details are setup.
Since the safe replacement servers are to be shut down on March 8, it would be a really good idea to check before then to see if your computers (or routers) have been compromised with the DNS Changer malware. One easy way is to visit the security check site setup just for this purpose. It will inform you if your DNS servers are on their list of rogue servers. If your servers are on that list you need to update your security programs and scan with everything you've got.
What you can do if infected
If you lose your ability to browse the Internet on March 8, 2012 you should run your (hopefully recently updated) anti-virus and anti-malware programs and scan for and remove any malware threats they recognize, but especially the DNS Changer Trojan. If the DNS Changer was found on your computer, or computers, and the software you removed it with restored normal DNS settings, you should be good to go, after the fight is over (scan, reboot, scan again, reboot, disable system restore, etc).
Manual restoration of DNS settings (messy)
But, in the event your security program removes the malware but fails to restore your Interwebs, you'll need to roll up your sleeves and alter certain settings in your Windows Registry and maybe even HOSTS file. One place you'll want to examine is the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters. The setting should reflect your actual ISP's DCHP servers. However, if the "DhcpNameServer" key shows 193.227.227.218, your PC is using the rogue DNS server that is soon to be shut down.
If that Registry key is compromised, so are the following keys (with foreign IP addresses in the key values):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "DhcpNameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "DhcpNameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "NameServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% "DhcpNameServer"
Here are some known hostile IP address pairs used by the DNS Changer malware:
64.28.176.1 - 64.28.191.254
67.210.0.1 - 67.210.15.254
77.67.83.1 - 77.67.83.254
85.255.112.1 - 85.255.127.254
93.188.160.1 - 93.188.167.254
213.109.64.1 - 213.109.79.254
Contact your ISP and ask for the IP addresses of your primary and secondary DNS servers. Then edit the above values to display the correct IP addresses, or long names used by some ISPs. Always export your Registry keys before altering them, just in case a typo makes matters even worse!
Follow-up recommendation
It is probably also a good idea to flush your DNS Cache and rebuild the TCP/IP "stack." You do this by opening a Command window with Administrator privileges, via Start > All Programs > Accessories and right-click on "Command Prompt" and select Run as Administrator (just "Run as" in XP). You may need to type in your password for the Administrator level account. Then, type in these commands, pressing Enter after each one:
ipconfig /flushdns
(Enter)
netsh int ip reset
(Enter)
The DNS Changer malware needs to be entirely removed in order to restore normal Internet operation. If the malware is still active it will reverse and Registry changes you make. It is probably backed up in your System Restore folders, so they may need to be turned off while you disinfect the PC. If you lose your Internet connection and cannot update or run any security programs, the infected computers will need to be serviced offline by competent technicians or troubleshooters.
But wait, there's more!
One last thing you need to know is that some variations of DNS Changer Trojans may have altered the DNS servers used in wired and wireless routers or router/modem combinations. You will need to look-up the browser interface login details for any routers in use in your home, or business, then login with Admin credentials. Locate the configuration section that lists DNS servers and make sure that they reflect those assigned by your ISP and not those listed in the DNS Changer details. If the soon-to-be-shutdown DNS IP address (193.227.227.218) is listed, delete the value, save the change, then restart the router or refresh that page. It should then contact your ISP for the correct DNS servers and list them.
If you found hijacked DNS servers in your router, know that it happened due to you either using the default login credentials, or a very weak password. Assign a strong password and turn off remote administration, restart the router and check again to make sure you are now using DNS servers assigned by your ISP!
back to top ^