05.30.12

DNSChanger FAQ

The FBI will turn off the rogue DNS servers on Monday July 9th, 2012.  Please review the following FAQ to better understand this threat.

What is DNSChanger?

DNSChanger, also known as Alureon, is a high profile piece of Malware that modifies the DNS settings on the victim PC to divert Internet traffic to malicious web sites. The Malware also acts as a robot or “Bot” for short and can be organized into a BotNet and controlled from a remote location. DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names. On July 9th the FBI will turn off the rogue DNS servers and DNS resolution will effectively stop for any system still infected with DNSChanger.

What is DNS?

DNS stands for Domain Naming System and maps domain names such as www.totaldefense.com to an IP address such as 81.19.61.81. DNS enables humans to enter names into their web browsers rather than IP address numbers.

Should I be worried?

Any unauthorized change to the DNS server settings of your PC places you and your data at risk. By modifying DNS all Internet traffic can be routed through a computer controlled by someone else. It is important to always use a trusted DNS server.

How does it spread?

The most common vector of distribution is via email and social engineering. It can also be found in untrusted downloads from the Internet. Malvertisements such as Fake Codecs to play videos and untrusted free software downloads are known sources of this Malware. There are DNS Changer Malware available for the MAC OSX platform as well as Windows. (namely:OSX/Puper, and OSX/Jahlav)

How does it work?

Within the Network settings of the computer operating system exists a DNS server entry. This setting is modified by the Malware and must be reset after removing the malware. The malicious DNS server fields the resolution request and sends you the IP address of “their” choosing. Thus any and all Internet traffic originating from an infected PC could be captured before sent on to the original destination.
On Windows: A regular DNS Changer malware achieves the redirection by modifying the following registry key settings against a interface device such as network card. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Interfaces%Random CLSID% NameServer. Such malware is also known to make modifications to lower Internet security settings relating to security zones registry keys. This enables unprompted access to malicious sites that would otherwise raise alarm with user through notifications.
On Mac: After removal of the malicious binary. The settings can be reverted via network settings.( Third Party guide to change dns settings in mac. (http://www.plus.net/support/software/dns/changing_dns_mac.shtml)

Related Malware: (Similar payload behavior)

There is other Malware that also is capable of doing traffic redirections via rootkit components and/or through Layered Service Provider Modifications by inserting itself into the TCP/IP stack. If your Internet searches take you to unexpected websites it is important to verify your DNS settings and/or inspect your computer for other possible Malware.

Why is the FBI maintaining the rogue DNS servers?

Due to the high volume of affected PCs the FBI decided to maintain the rogue DNS servers while ISPs and other agencies worked to alert their customer base. Effective July 9, 2012 the FBI will cease to support the rogue DNS servers and those still affected will not be able to resolve DNS names interrupting normal Internet surfing activities.

How do I remove DNSChanger?

The Total Defense line of anti-malware products successfully detects and removes the DNSChanger threat. It is recommended to update your anti-malware signatures and run a full scan prior to July 9, 2012 if you suspect a DNSChanger infection. DNSChanger is detected as a variant of the Alureon Malware family and will be deleted from the PC. However, it is important to note that the Malware removal does not reset the DNS server IP address as that information is potentially different for every user. Public DNS services such as that offered by Google or OpenDNS can be used permanently or as a temporary fix until your proper DNS server settings can be identified. Google’s public DNS server Ips are 8.8.8.8 and 8.8.4.4. OpenDNS servers can be located at 208.67.222.222 and 208.67.220.220.

How do I verify my DNS settings?

Open the Network Settings GUI and check the “Internet Protocol Version 4” properties. In the “General” tab review the “Preferred” and “Alternate” DNS server IP addresses defined. The rogue DNS servers can exist in any of the following ranges:

64.28.176.0 – 64.28.191.255

67.210.0.0 – 67.210.15.255

77.67.83.0 – 77.67.83.255

93.188.160.0 – 93.188.167.255

85.255.112.0 – 85.255.127.255

213.109.64.0 – 213.109.79.255

Another means to determine the DNS server IP addresses in use is to open a command prompt via “Start Menu/All Programs/Accessories/Command Prompt”. When the black box opens enter “ipconfig /all” and scroll through the text to find the section entitled “DNS Servers.” All of the DNS server IP addresses currently in use will be listed. This is also how to determine the DNS server IP addresses if DHCP is used to configure the network.