DNSChanger: Should you care?


What is DNSChanger?

Summary from F-Secure:

DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites.

The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the newly assigned DNS server to resolve names of different webservers.

Why Should I Care?

Excerpt from CNET:

FBI put a major dent in the DNSChanger operation with Operation Ghost Click, which recently ended in the arrest of six Estonian nationals who are accused of being integral in running the fraud ring. Along with the arrests, a number of computer systems were seized that the FBI says were being used as rogue DNS servers, but instead of just being shut down they were replaced with legitimate servers.

This action means that many of the millions of computers that are still currently infected with the DNSChanger malware should now be receiving healthy DNS server activity even if the DNS server IP addresses on their systems are changed by the malware.

If your DNS server IPs are one or more of the addresses in the following list, your computer(s) might have been infected by the DNSChanger malware:

    • through
    • through
    • through
    • through
    • through
    • through

Which means you have until July 9, 2012 — the FBI has set to shut down temporary “clean” servers — to clean your system, or you won’t be able to get online.

What Should I Do?

Here are step-by-step instructions to manually check your computer(s) for infections, provided by the FBI and the DNS Changer Working Group:

There are also self-checking tools:

If your machine(s) is infection, here are some removal tools that might be able to get rid of the infection:

In some extreme cases, formatting and reinstall your operating system might be the only way to get rid of the infection.


Tech Republic ()