As part of Operation Ghost Click, the FBI brought down an Estonian hacker ring last year, which resulted in the takeover of the rogue DNS servers. Now, the Internet Systems Consortium is gearing up to permanently shut down deployed DNS servers that are currently serving as temporary surrogates for confiscated rogue DNS servers. As of last month, 84,000 U.S. computers still used the “pwned” servers put up for the FBI by the Internet Systems Consortium. Those servers must be taken down July 9th due to a court order. At that time, any machine still using them for name resolution will be forced offline. Some internet security firms rank DNSChanger as the most prevalent high-level infection with 1 in 400 households still infected. DNSChanger is not the result of a single malware infection. It has been in operation for over 5 years, and during that time has used a variety of techniques to gain control of victims’ computers and modify their DNS configuration. The most recent infection method has been the TDSS/Alureon rootkit.
To figure out whether you’ve been infected with DNSChanger, just visit this site: DNSChanger Check-Up. The link will take you to a DNS Changer Check-Up page in the United States that the DNS Changer Working Group maintains. It’s an accurate check, but if your router is infected, those websites will think that your PC is infected, even though it may be clean–furthermore, if your ISP redirects DNS traffic, your PC may appear to be clean even though your DNS settings may have been maliciously altered.
To be certain that your PC is free of DNSChanger malware, you need to manually look up the IP addresses of the DNS servers that your PC contacts to resolve domain names when browsing the web. To look up which DNS servers your Windows PC is using, open your Start menu and either run the Command Prompt application or type cmd in the Search field. Once you have a command prompt open, type ipconfig /allcompartments /all at the command line and press Enter. A big block of text should appear; scroll through it until you see a line that says ‘DNS Servers’, and copy down the string(s) of numbers that follow (there may be more than one string here, meaning that your PC accesses more than one DNS server).
It’s even easier for Mac OS X users to determine the IP addresses of the DNS servers that their PC uses. Open the Apple menu (usually located in the upper-left corner of the screen) and select System Preferences. Next, click the Network icon to open your Network Settings menu; navigate to Advanced Settings, and copy down the string(s) of numbers listed in the DNS Server box. Once you know the IP addresses of the DNS servers that your PC is using head over to the FBI DNSChanger website and enter those addresses into the search box. Press the big blue Check Your DNS button, and the FBI’s software will tell you whether your PC is using rogue DNS servers to access the internet.
If your PC is infected with DNSChanger, you’ll have to do some serious work to get rid of it. DNSChanger is a powerful rootkit that does more than just alter DNS settings; if you’ve been infected with DNSChanger, chances are you are infected with other malware on top of that. Your safest course (and easiest) is to back up your important data, reformat your hard drive, and reformat/reinstall your operating system. If the infected PC is on a network, then all PCs on the network will need to be checked for signs of infection, and then check your router’s settings to make sure that it isn’t compromised (DNSChanger is programmed to change router DNS settings automatically, using the default usernames and passwords of most modern routers). To do this, copy down your router’s DNS server IP addresses and check them against the FBI’s IP address database mentioned above. If your router is infected, reset the router and confirm that all network settings are restored to the manufacturer’s defaults.
If reformatting isn’t an option, it will be necessary to have your machine(s) professionally cleaned to ensure your It environment is safe and secure.