Monday, July 9, 2012

Are you safe against DNSChanger ?

By now you have probably heard about DNSChanger, a piece maleware in the wild. Here is a bit of information about it.

How it works ?

DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name like www.xyz.com in your browser address bar, your system contacts DNS servers to get the IP address for that website. Your system then uses that IP to locate and connect to website. Generally DNS servers are operated by your Internet Service Providers ( (ISP) and are included in your system's network configuration.You can think of like a phone book, you search for the name you want and DNS gives the corresponding no. If your system is infected with DNSChanger then there is also a possibility of other malewares also.

What does DNSChanger do in system ? 

DNSChanger does what the name itself describes. DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway).The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the network, even if those computers are not infected with the malware.

How can I detect infection on my system ?

Following are the steps to check the infection on Windows systems.

1. Go to Start menu. Click on Run option or press Windows + R.
















2. Write cmd in the box and press Ok


3. Type on command prompt : ipconfig /all. It will list all the network interfaces configured on your system
Check the DNS Servers line in all the entries. 


4. Compare whether any of listed entries has DNS servers listed in the number ranges given at the end of the blog.

If your computer is configured to use one or more of the rogue DNS servers, it may be infected with DNSChanger malware.
 
Following are the steps to check the infection on Mac OSX systems.

1. Click on the Apple in the top left corner and choose System Preferences. Then, from the Apple System Preferences window, choose Network.

2. The Apple Network pane will show a number of possible connections on the left side. Choose the one that is active for you and click on the Advanced button in the right lower corner. Then choose DNS from the options to show the DNS servers you are using.


3. Compare whether any of listed entries has DNS servers listed in the number ranges given at the end of the blog.

If your computer is configured to use one or more of the rogue DNS servers, it may be infected with DNSChanger malware. 


How to compare ?

To make the comparison between the computer’s DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you can move on to the next step. If your servers start with any of those numbers, continue the comparison.

List of rough DNS Servers

1. 85.255.112.0 through 85.255.127.255
2. 67.210.0.0 through 67.210.15.255
3. 93.188.160.0 through 93.188.167.255
4. 77.67.83.0 through 77.67.83.255
5. 213.109.64.0 through 213.109.79.255
6. 64.28.176.0 through 64.28.191.255