Just another Malware Monday

Professional Nerdy Girl
Follow Me

Just another Malware Monday

By M Davies   /     Jul 08, 2012  /     Technology Hates Me  /  

If you don’t have Internet access on Monday morning, your first instinct may be to call your ISP and complain about their service being down.  STOP.  NO!  Bad netizen!  Put down that phone.  You may be infected with the DNSChanger trojan horse/malware.

 

What is DNSChanger?  According to the DNS Changer Working Group:

 

On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.

 

Why is it such a big deal now?  From Wired Magazine and PC Magazine:

 

Due to concerns by the FBI that users still infected by DNSChanger would lose internet access if the rogue DNS servers were shut down entirely, the FBI obtained a temporary court order to allow the Internet Systems Consortium to operate replacement servers to serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the malware.  While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers.

 

Your first clue to infection may appear when you go to Google or Facebook.  They are warning users of their infection so that they can take care of it ahead of Monday.  Here is what the warning messages look like:

 

(Google)

 

(Facebook)

 

If you don’t use the Google search engine and do not have a Facebook account, you can also check your DNS entries using this handy dandy DNS Changer Check-up Page:  http://www.dns-ok.us.  If the image comes back green, you are clean.  If the image comes back red, your internet is as good as dead (in the water).  I’m such a crappy rhymer, hence why I work with computers and am not a rapper.  Anyway….

 

If you are inclined to, you can also check your DNS manually for the “bad” entries.

 

According the DCWG, these are the bad entries:

 

Starting IP Ending IP CIDR
85.255.112.0 85.255.127.255 85.255.112.0/20
67.210.0.0 67.210.15.255 67.210.0.0/20
93.188.160.0 93.188.167.255 93.188.160.0/21
77.67.83.0 77.67.83.255 77.67.83.0/24
213.109.64.0 213.109.79.255 213.109.64.0/20
64.28.176.0 64.28.191.255 64.28.176.0/20

 

To check for the bad entries, in Windows you need to pull up an MS-DOS prompt on your computer.

 

Windows XP:  Go to Start -> Run -> Type “cmd” (without the quotes) and click ok or press enter.

 

Windows Vista & 7:  Click on the Windows Circle (Start Menu) -> in the search box type in “cmd” (without the quotes) and press enter.

 

Once you load the MS-DOS window, type in ipconfig /all and check the area that says “DNS Servers”.  If one of the above server addresses is listed, you are infected.  If not, then you are clean.

 

 

And here’s a surprising factoid:  Macs are not immune to this trojan.  Do not assume because you have a mac, you are safe.  There are an increasing amount of viruses and trojans that now can affect macs, and this is one of them!

 

How to check a Mac’s DNS:

 

Click on the Apple Menu -> System Preferences -> Click Network

 

Check the DNS Server line to make sure the addresses above are not listed.

 

 

If you find the rogue DNS settings on your computer, there are several removal utilities you can use to get rid of the infection.

 

Name of the Tool URL
Hitman Pro (32bit and 64bit versions) http://www.surfright.nl/en/products/
Kaspersky Labs TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
McAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
Microsoft Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx
Norton Power Eraser http://security.symantec.com/nbrt/npe.aspx
Trend Micro Housecall http://housecall.trendmicro.com
MacScan http://macscan.securemac.com/
Avira http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool

 

I have used both the Microsoft Safety Scanner and the Kaspersky Labs TDSSKiller utilities and they work really well to get rid of all types of Scumware.  I also recommend ComboFix which was not listed on the DCWG’s website.  You can download it from http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

I do not believe that these utilities will correct your DNS settings, however, you will have to fix those manually.  You can get your correct DNS server settings from your ISP, or you can use Google’s…or both….  Google’s DNS server addresses are very easy to remember.  8.8.8.8 and 8.8.4.4.  Your ISPs DNS server addresses will depend on who you are using.  It is recommended that you check out their tech support webpage or contact them by phone to get the addresses.  DSL Reports has a guide on how to change your DNS server addresses for Windows machines.  If you have Mac OSX, use the same steps as above to get to the DNS settings and then you can change them right there.

 

Hopefully, you are not infected.  If your internet connection is still down after all of that, congratulations.  I grant you permission to call your ISP and pitch a fit.

About M Davies

Hi! My name is Michelle and I’m the sassy author of this blog. I also am a wife, mother, sister, daughter, contributor at NEPA Blogs, 1/3 of NEPA BlogCon and work behind-the-scenes in local TV.

One Comment

  1. Karla Porter Says: July 8, 2012 4:31 pm

    Really well done Michelle.. I’m sharing it because it’s better than Mashable.

Post a Comment

Your email address will not be published. Required fields are marked *

*