DNSChanger infection: understand, check and modify the DNS of your internet connection

Who I am
Matthew M. White
@matthewmwhite
Author and references

A large infection that has affected millions of Mac and Windows computers worldwide continues to cause concern despite the measures taken and the arrest of those responsible for distributing the malware. This modifies the DNS parameters of the connections which make the link between the Internet address of the sites and their real IP location. The operation of DNS is quite simple, when you enter an internet address, the DNS server asks where the site corresponding to this address is located by returning an IP address. You are connected to the requested site.

Each internet service provider has a DNS server that relays this information for us customers, but it is possible to use a third-party service such as Google's DNS servers, for example by manually modifying the DNS of our system or via the settings our modem or internet box (Freebox, Bbox, Neufbox, Livebox etc...). It is on this possibility that the malware has influenced by modifying the information to relay it to its own servers, thus making it possible to redirect to fake sites that do not correspond to the one requested to add advertising, steal information or other purpose. malicious. (Illustration dcwg.org)



Currently, some 300 computers worldwide are still infected and have a bad DNS configuration. Thanks to an action by the FBI which modified the fake DNS servers to redirect Internet users, this does not affect their browsing habits. For this reason, most users are unaware of being infected. When the fake temporary servers properly configured by the FBI stop working, the thousands of computers affected will no longer be able to reach any site.

The FBI had already planned to take these servers offline earlier this year and pushed back the date to July 9, 2012 to allow users to fix the problem. Google has been displaying an alert since yesterday which informs the Internet users concerned by detecting this incorrect DNS configuration and displays a message "Your computer seems to be infected".








How to check if you are concerned?

We listed some actions to perform to check your DNS settings and fix the problem. The first is to check if you are infected. Advanced users can use command windows.

Under Mac OS, open the terminal and enter one of these commands depending on your connection (ethernet cable or wifi):

networkssetup -getdnsservers "Wi-Fi"
networksetup -getdnsservers "Ethernet"



Under Windows, the command to enter is "ipconfig /all", to find out more, see the tutorial Knowing your ip address and network parameters



More simply, a special CERT-LEXSI page allows you to display very clearly the status of your DNS with respect to this infection: www.dns-ok.com

Update or install antivirus

Most antiviruses can deal with this infection. Whether you are on Windows or Mac, many security software are available in free version or in trial version to download:

Free Antiviruses for Windows
Windows security suites
Antiviruses for Mac OS
Mac Malware Removal Tool

If you already have an antivirus or have just installed one, check that it has all the latest definitions for viruses and other malware by updating it. In general, a clear warning is displayed on the antivirus interface when it needs to connect to the internet to check for updates.

Modify DNS and monitor the system

You also have the option of modifying the DNS of your system or your modem/box yourself by manually choosing those of your ISP or a third-party provider such as OpenDNS or Google. It will then remain to monitor your system and your equipment using the command lines provided above.

Change DNS manually in Windows
How to Use Google DNS

Finally, in case of difficulty, do not hesitate to ask the community on our security forums or in the Internet and network forums to help you check if you are infected or get help configuring the DNS on your machine.
Audio Video DNSChanger infection: understand, check and modify the DNS of your internet connection
add a comment of DNSChanger infection: understand, check and modify the DNS of your internet connection
Comment sent successfully! We will review it in the next few hours.