DNS Changer Malware – Straight Talk and What to Do
We have been seeing a lot of information floating around the last few days in media outlets and from friends and clients about hundreds of thousands of people suddenly losing internet connectivity in July. Much of the information is dooms-day sounding and finger pointing, so we wanted to give you some straight talk about what this is all about.
Back in November, a group of hackers/malware authors in Estonia were apprehended. They had been infecting computers with malware that would (among other things) redirect you to websites THEY wanted you to visit instead of where you actually wanted to go.
Not the real Estonian hackers, but my son loves this movie.
Why? To make money. They made over $14 million from advertising.
Could the malware do other bad things? Yes. And it probably did. Maybe steal information, and at the very least be a big pain in the butt.
How did it do this?
Well, the way the internet gets you to the website you want is by something called DNS (Domain Name Service).
Every website is hosted at some ‘place’ in the world and that ‘place’ is delineated by an IP address. If you want to know what your IP address is, you can find out at www.whatismyip.com.
So when you type in www.AwesomeITGuys.com, DNS translates that name into the numbers (IP address) so that it can point you to the location of my website. Without DNS, you would have to remember a series of numbers (and these numbers may change if where the website is hosted changes), to find a website on the internet .
So DNS makes our lives easier online. It was also the way that the hackers exploited people.
What the malware did (and is currently doing to the infected computers) is re-route you by making your browser use their DNS servers. This is why the malware is known as DNS Changer.
Now comes the element that makes this DIFFERENT from other malware attacks: the government got involved.
In their infinite wisdom (feel the sarcasm), they decided to set up temporary DNS servers so that people could get to where they were trying to go on the internet. If they HAD NOT done this, then the infected PC’s would have immediately lost the ability to browse the internet when the Estonian hacker’s servers were shut down. People would have figured out there was an issue, and their computers would have been cleaned back in November of 2011.
Now people have had infected computers FOR MONTHS with no or little signs that there was a problem.
I’m personally a bit irritated at this course of action. I could go all conspiracy theory on you all, but there is really no point, when really, we need to focus on cleaning up the malware infection.
You can go to the website of the company the government is paying to set up and maintain these servers for additional information (www.dcwg.org) but it is hard to reach because there is so much traffic, so consider this blog your alternative source.
Here is what you do to determine if you are infected with the DNS Changer Malware and what to do if you are infected:
1. Go to: www.dns-ok.us and if you get a RED page, you are certainly infected. If you get a GREEN page, you are PROBABLY not infected with this particular piece of malware. (you could still be infected with a different type of malware)
2. You can manually determine if you are infected by following the these instructions:
a. To check if your Windows 7 machine is infected, first click the “Start” icon.
b. This opens the Windows Menu. Click on the “Search” field at the bottom.
c. Type in cmd, and hit enter.
d. This opens a DOS shell. In the DOS shell, type in the command:
ipconfig /allcompartments /all and hit enter. (Windows users might be used to just typing “ipconfig /all“. This also works, but might not list all the routing compartments if you have a VPN setup in Windows7.)
The output will be very long, since Windows7 by default has support for IPv6. Most likely, you want to look for the IPv4 information under the section entitled “Ethernet adapter…”. Look for the “DNS Servers” line, and write down these numbers. There may be two IP addresses listed there.
e. Are Your DNS Settings OK?
The malicious Rove viruses changed some peoples DNS settings to use computers they operated. Compare your DNS settings with the known malicious Rove DNS settings listed below:
| Starting IP | Ending IP | CIDR |
| 85.255.112.0 | 85.255.127.255 | 85.255.112.0/20 |
| 67.210.0.0 | 67.210.15.255 | 67.210.0.0/20 |
| 93.188.160.0 | 93.188.167.255 | 93.188.160.0/21 |
| 77.67.83.0 | 77.67.83.255 | 77.67.83.0/24 |
| 213.109.64.0 | 213.109.79.255 | 213.109.64.0/20 |
| 64.28.176.0 | 64.28.191.255 | 64.28.176.0/20 |
IF YOU DETERMINE YOU ARE INFECTED:
Run one of the following tools:
| URL | |
| Kaspersky Labs TDSSKiller | http://support.kaspersky.com/faq/?qid=208283363 |
| Trend Micro Housecall | http://housecall.trendmicro.com |
| MacScan | http://macscan.securemac.com/ |
| Avira | http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool |
– Then download, install and UPDATE Malwarebytes at www.Malwarebytes.org (for free) and run it.
– Finally, update your antivirus software and run a full scan.
If you are concerned, please don’t hesitate to call us. If you think you are infected and don’t feel comfortable cleaning the computer yourself, we can help you.
All malware is very bad, not just this one piece or type of malware. The media’s frenzy and the government’s strange involvement does not make this worse than other viruses.
Take ALL malware seriously. Protect yourself by keeping your antivirus up to date, doing all your updates (Windows, Adobe, Java, etc.), make sure your antivirus scans run at least weekly.
Forever Standing Guard Against Malicious Hackers To Keep Your Network Safe,
Leia T Shilobod, IT Princess of Power