Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 6th, 2012

How not to lose your internet access on Jul 9th 2012

Few years back a group of bad guys from Estonia had neat idea how to get between you and the sites you want to visit on internet. They created malware which was named by AV companies DnsChanger. The main purpose of the malware was to change DNS servers your computer uses for the name to ip address translation to the servers operated by the criminals. This way they can intercept your traffic and eventually monetize it. The gang was later arrested and the servers confiscated by FBI. And there lies the problem, because FBI was ordered by the court that they must turn off these servers on Monday July 9th 2012. There are still about 300 000 computers around which are using the wrong DNS servers, so although the probability you’re one of them is quite low, it’s better to be safe than sorry and check if it may concern you.

The name resolution works like this: You want to visit your favorite site named ‘example.com’. You computer first makes connection to your DNS server, its IP address is usually obtained dynamically via DHCP or you had it configured by your internet provider. The computer asks for ‘A’ record (address) of example.com, and the DNS server replies with one or more IP addresses:

nslookup example.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    example.com
Addresses:  192.0.43.10

The browser then connects to 192.0.43.10 and you’re served the content you wanted. After the DnsChanger infection it works in the very same way, but your DNS server settings are modified and you’re asking wrong server which may return you wrong results on the bad guys wishes. Because now the servers are operated by the FBI, all the returned results are okay and the users have probably no clue their settings are wrong. But on Monday, the name resolution will cease to work and all sites will just return “Server not found” or similar messages.

The DNS redirection may be done on your computer, or, if you don’t care about your passwords, also to your home router. DNSChanger had an extensive list of default passwords for the routers so it could have changed the DNS settings in the router’s control panel.

There are several checkers on the internet which may give you clue if you’re using the wrong servers or not, for example this one: http://www.dns-ok.us/

You can also manually check the DNS settings for the ip address used by the DnsChanger:

64.28.176.0 – 64.28.191.255
67.210.0.0 – 67.210.15.255
77.67.83.0 – 77.67.83.255
85.255.112.0 – 85.255.127.255
93.188.160.0 – 93.188.167.255
213.109.64.0 – 213.109.79.255

If your DNS is set to any of the above address, you have problem. There are unfortunately too many ways how to check it depending on the operating system or router you use, so it’s beyond the scope of this article. For Windows, the easiest method is running command “ipconfig /all” from the command line prompt:

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix  . :
 Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
 Physical Address. . . . . . . . . : FF-FF-FF-9A-46-31
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes
 IPv4 Address. . . . . . . . . . . : 10.168.2.20(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 10.168.2.1
 DNS Servers . . . . . . . . . . . : 10.0.0.1
 10.0.0.10
 NetBIOS over Tcpip. . . . . . . . : Enabled

As you can see in this example, the DNS Servers are set to 10.0.0.1 and 10.0.0.10 which are not contained in the table above.

For more information regarding detection, fixes and statistics visit great site of DnsChanger Working Group.

Categories: General, Technology, Virus Lab Tags:
  • http://www.cutabovehost.com/ Steve H.

    I like your article I have however one problem with it. There is nothing about whether or not the Avast program can handle cleaning a PC of this problem.
    Not only that, but I spent over 40 minutes on the phone waiting just to get to talk to someone and then they couldn’t even answer that simple question either.

  • http://yoetama.blogspot.com yoetama

    is very surprising, even said in the media is the Internet apocalypse. but I’m sure there’s always the right solution and easy as that listed above.