If you don’t have Internet access on Monday morning, your first instinct may be to call your ISP and complain about their service being down. STOP. NO! Bad netizen! Put down that phone. You may be infected with the DNSChanger trojan horse/malware.
What is DNSChanger? According to the DNS Changer Working Group:
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
Due to concerns by the FBI that users still infected by DNSChanger would lose internet access if the rogue DNS servers were shut down entirely, the FBI obtained a temporary court order to allow the Internet Systems Consortium to operate replacement servers to serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the malware. While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers.
Your first clue to infection may appear when you go to Google or Facebook. They are warning users of their infection so that they can take care of it ahead of Monday. Here is what the warning messages look like:
If you don’t use the Google search engine and do not have a Facebook account, you can also check your DNS entries using this handy dandy DNS Changer Check-up Page: http://www.dns-ok.us. If the image comes back green, you are clean. If the image comes back red, your internet is as good as dead (in the water). I’m such a crappy rhymer, hence why I work with computers and am not a rapper. Anyway….
If you are inclined to, you can also check your DNS manually for the “bad” entries.
According the DCWG, these are the bad entries:
|Starting IP||Ending IP||CIDR|
To check for the bad entries, in Windows you need to pull up an MS-DOS prompt on your computer.
Windows XP: Go to Start -> Run -> Type “cmd” (without the quotes) and click ok or press enter.
Windows Vista & 7: Click on the Windows Circle (Start Menu) -> in the search box type in “cmd” (without the quotes) and press enter.
Once you load the MS-DOS window, type in ipconfig /all and check the area that says “DNS Servers”. If one of the above server addresses is listed, you are infected. If not, then you are clean.
And here’s a surprising factoid: Macs are not immune to this trojan. Do not assume because you have a mac, you are safe. There are an increasing amount of viruses and trojans that now can affect macs, and this is one of them!
How to check a Mac’s DNS:
Click on the Apple Menu -> System Preferences -> Click Network
Check the DNS Server line to make sure the addresses above are not listed.
If you find the rogue DNS settings on your computer, there are several removal utilities you can use to get rid of the infection.
|Name of the Tool||URL|
|Hitman Pro (32bit and 64bit versions)||http://www.surfright.nl/en/products/|
|Kaspersky Labs TDSSKiller||http://support.kaspersky.com/faq/?qid=208283363|
|Microsoft Windows Defender Offline||http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline|
|Microsoft Safety Scanner||http://www.microsoft.com/security/scanner/en-us/default.aspx|
|Norton Power Eraser||http://security.symantec.com/nbrt/npe.aspx|
|Trend Micro Housecall||http://housecall.trendmicro.com|
|Avira||http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool|
I have used both the Microsoft Safety Scanner and the Kaspersky Labs TDSSKiller utilities and they work really well to get rid of all types of Scumware. I also recommend ComboFix which was not listed on the DCWG’s website. You can download it from http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I do not believe that these utilities will correct your DNS settings, however, you will have to fix those manually. You can get your correct DNS server settings from your ISP, or you can use Google’s…or both…. Google’s DNS server addresses are very easy to remember. 220.127.116.11 and 18.104.22.168. Your ISPs DNS server addresses will depend on who you are using. It is recommended that you check out their tech support webpage or contact them by phone to get the addresses. DSL Reports has a guide on how to change your DNS server addresses for Windows machines. If you have Mac OSX, use the same steps as above to get to the DNS settings and then you can change them right there.
Hopefully, you are not infected. If your internet connection is still down after all of that, congratulations. I grant you permission to call your ISP and pitch a fit.