Lions, Tigers, & Bears. Oh my! DNSChanger will blow your house down

May 3rd, 2012 by Kevin Zoll

I may be confusing the Wizard of Oz with the Three Little Pigs. 😉

Been a lot of doomsayers in the tech media lately about the pending shutdown of the Internet on July 9th, 2012.  Don’t worry, they are engaging in tabloid journalism, much like most of the media in the US these days.

There is no impending shutdown of the Internet on July 9th, 2012.  However, if you have one of the estimated 350,000 computers, in the US, infected with the DNSChanger trojan, you will find yourself without Internet access come July 9th.  Wait! What’s that you say?  I’ll lose the Internet on July 9th?  Yes, if your system is infected with DNSChanger and you have done nothing to clean the system.

How do I check if I’m infected?  Well, that’s as simple as visiting the DNSChanger Working Group and clicking on one of the links they provide.

What is DNS?
DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as www.fbi.gov, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment—without them, you would not be able to access websites, send e-mail, or use any other Internet services.

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

To find out whether or not you are infected with DNS Changer, you will need to check your DNS Server settings.

On Windows XP:

Start -> Run
type cmd
Click “OK

The Command Console will open

Enter the following command, at the Command Prompt, exactly as shown. Press the Enter Key after the command.

ipconfig /all

On Windows Vista/7:

Start -> All Programs -> Accessories -> “Command Prompt
Click”OK” on any alerts.

The Command Console will open

Enter the following command, at the Command Prompt, exactly as shown. Press the Enter Key after the command.

ipconfig /all

This will show you information about your network connection. Find the line that says “DNS Servers . . . “

Infected systems will show IP addresses in the following ranges :

  • 64.28.176.0 – 64.28.191.255
  • 67.210.0.0 – 67.210.15.255
  • 77.67.83.0 – 77.67.83.255
  • 85.255.112.0 – 85.255.127.255
  • 93.188.160.0 – 93.188.167.255
  • 213.109.64.0 – 213.109.79.255

If your DNS Server settings show an IP in any of the above IP ranges, you will need to disinfect your system.

To close the Command Console, enter the following command at the command prompt, followed by pressing the Enter key:

exit

The Command Console will close.

If your system is infected, we can help.  Contact us for a quote.



Leave a Reply

You must be logged in to post a comment.

Support