Threat Research

How not to lose your internet access on Jul 9th 2012

Threat Intelligence Team, 6 July 2012

How not to lose your internet access on Jul 9th 2012

Few years back a group of bad guys from Estonia had neat idea how to get between you and the sites you want to visit on internet. They created malware which was named by AV companies DnsChanger. The main purpose of the malware was to change DNS servers your computer uses for the name to ip address translation to the servers operated by the criminals. This way they can intercept your traffic and eventually monetize it. The gang was later arrested and the servers confiscated by FBI. And there lies the problem, because FBI was ordered by the court that they must turn off these servers on Monday July 9th 2012. There are still about 300 000 computers around which are using the wrong DNS servers, so although the probability you're one of them is quite low, it's better to be safe than sorry and check if it may concern you.

The name resolution works like this: You want to visit your favorite site named ''. You computer first makes connection to your DNS server, its IP address is usually obtained dynamically via DHCP or you had it configured by your internet provider. The computer asks for 'A' record (address) of, and the DNS server replies with one or more IP addresses:

Non-authoritative answer:

The browser then connects to and you're served the content you wanted. After the DnsChanger infection it works in the very same way, but your DNS server settings are modified and you're asking wrong server which may return you wrong results on the bad guys wishes. Because now the servers are operated by the FBI, all the returned results are okay and the users have probably no clue their settings are wrong. But on Monday, the name resolution will cease to work and all sites will just return "Server not found" or similar messages.

The DNS redirection may be done on your computer, or, if you don't care about your passwords, also to your home router. DNSChanger had an extensive list of default passwords for the routers so it could have changed the DNS settings in the router's control panel.

There are several checkers on the internet which may give you clue if you're using the wrong servers or not, for example this one:

You can also manually check the DNS settings for the ip address used by the DnsChanger: - - - - - -

If your DNS is set to any of the above address, you have problem. There are unfortunately too many ways how to check it depending on the operating system or router you use, so it's beyond the scope of this article. For Windows, the easiest method is running command "ipconfig /all" from the command line prompt:

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix  . :
 Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
 Physical Address. . . . . . . . . : FF-FF-FF-9A-46-31
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes
 IPv4 Address. . . . . . . . . . . :
 Subnet Mask . . . . . . . . . . . :
 Default Gateway . . . . . . . . . :
 DNS Servers . . . . . . . . . . . :
 NetBIOS over Tcpip. . . . . . . . : Enabled

As you can see in this example, the DNS Servers are set to and which are not contained in the table above.

For more information regarding detection, fixes and statistics visit great site of DnsChanger Working Group.