Navigation

Integrated Technology Services

Linfield Home » Arts & Sciences » ... » ITS Help Desk » Security & Viruses » DNS Changer

DNS Changer Malware

 

  • What is DNS changer?dnschanger

  • How do I know if my computer is infected?

  • What can I do to remove it?

 

What is DNS changer?

On November 8, 2011 the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.

Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

 

How do I know if my computer is infected?

An industry wide team has developed easy “are you infected” web sites.  They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.

For example, visiting the http://www.dns-ok.us/ site will state if you are or are not infected.

 

What can I do to remove it?

If you followed the steps above and your computer is determined to be infected then below are some steps to follow:

  1. The first thing you want to do is make a backup of all of your important files.  You might go to a computer store or shop online for a portable hard drive and copy all of your files onto that drive.
  2. Either you or a computer professional that you rely upon and trust should follow the “self help” malware clean up guides listed below.  The goal is to remove the malware and recover your PC from the control of the criminals that distributed it.  If you were already thinking of upgrading to a new computer, now may be a good time to make the switch.
  3. Once you have a clean PC, follow instructions for ensuring that your DNS settings are correct.  If you’re not using a new PC, you’ll want to check that your computer’s DNS settings are not still using the DNS Changer DNS servers.  The instructions and screen shots found in step 2 at http://opendns.com/dns-changer are quite good if you want to manually set your DNS settings.  You also have the option to return to using your ISP-provided automatic settings by choosing the “automatically” option (Windows) or deleting any DNS servers listed (MacOS).
  4. After you have fixed your computer, you will want to look at any home router you’re using and make sure they automatically use DNS settings provided by the ISP.
  5. Changing DNS is only one of the functions of the malware kits.  The malware could have been used for capturing keystrokes or acting as a proxy for traffic to sensitive sites like bank accounts or social media.  It would be a good idea to check your bank statements and credit reports as well as change passwords on any online accounts especially saved passwords from your applications or web browsers.

Here is a list of free tools available for download that can remove the DNS changer malware -

Name of the Tool URL
Hitman Pro (32bit and 64bit versions) http://www.surfright.nl/en/products/
McAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
Microsoft Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx
Norton Power Eraser http://security.symantec.com/nbrt/npe.aspx
Trend Micro Housecall http://housecall.trendmicro.com
MacScan http://macscan.securemac.com/
Avira http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199