How To Detect And Remove DNS Changer Malware Trojan.DNSchanger And Repair DNS Server Settings

DNSChanger Malware: Detection And Repair

This article is in reference to Rover Digital, often referred to as: Trojan.DNSchanger, DNSChanger malware or the Doomsday Virus.
Last November (2011) the FBI arrested several cyber criminals who distributed Rover Digital DNS Server malware.

http://www.fbi.gov/news/stories/2011/november/malware_110911

Under court order set to expire on July 9, 2012, the Internet System Consortium (ISC) has been  replacing  DNS servers for the Rover Digital network. The court order allows affected networks of Rover Digital to identify infected hosts in order to avoid sudden disruption of services to their victim’s computers. Aka: Operation Ghost Click.

However, effective July 9, 2012, these replacement servers set up by ISC will be taken down. Once the replacement servers are taken down, computers infected with Rover Digital DNS Changer (DNSChanger) malware will no longer be able to connect to the replacement servers, and therefore will not be able to connect to the internet. When attempting to connect to the internet these users will be alerted with the message “DNS server is not responding”.

There are many computers still infected, or still using old DNS IP addresses. The video below orchestrates the global expansion of DNS Changer malware.
In this article we provide information and instruction to fix DNS server settings so affected users may access the internet on their machines as well as detail how to detect if your DNS IP address is malformed.

DNS Changer Affected Countries (Image courtesy of Kaspersky)

What is DNS?

DNS is an internet service that allows name resolution for URL names to IP Addresses for computers connected to the Internet.  For example, when a user enters http://www.botcrawl.com.com into their browser, the computer has settings that direct the URL to a DNS server which provides back a corresponding Internet Protocol (IP) address. Your computer then utilizes this IP address to retrieve or send data.

What is DNS Changer malware?

DNS Changer (DNSChanger) is a form of malware that attempt to alter the original DNS settings on victims computers in order to redirect the computer user to rogue DNS servers. In doing so, the  DNSChanger Trojan can control name resolution data sent back, thus either preventing a user from accessing websites or  it will redirect users to unintended or drive-by-download websites. The methods by which these configurations are altered always different; they can vary by a lot sometimes which makes removal instuctions difficult to produce to a mass audience.

• Alureon, TDSS, DNSChanger, Zlob, Puper, Rover Digital Malware, etc. are examples of malware families that employ DNS forging tactics.

What does DNSchanger malware change?

DNS Changer malware (Trojan.DNSchanger) modifies the Windows network configuration settings to replace the original DNS servers with rogue IP addresses. This change can occur in either of the following:

By changing the machine’s Network Interface configuration to use static malicious DNS servers pointing at Rogue Servers or no servers at all
By changing the configuration on the network’s DHCP server, usually local routers or ADSL modems.

How do I know if I am a victim of a DNS Changer?

There are many ways to find out, check out the link below in the yellow box for automatic detection. If you read further into instructions the website https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS is introduced, but may require instructions to identify your current DNS IP address.
[Note]Visit: http://www.dns-ok.us/– If the page is green your computer is looking up IP addresses correctly.[/Note]
If your IP is malformed you may have noticed these alerts from Facebook and Google:


Also, if you are already experiencing difficulties while attempting to connect to the internet you will be notified with this message: DNS server is not responding while attempting to browse.

Malware Scan

The Free version of Malwarebytes Anti-Malware can easily detect and remove this rogue DNS application and is suggested to do so. The paid version protects against this type of threat from happening.

Please download Malwarebytes Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a check-mark is placed next to the following:”Update Malwarebytes Anti-Malware” and “Launch Malwarebytes Anti-Malware”

Then click Finish. (If an update is found, it will download and install the latest version.)

Once the program has loaded, select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results (if any).

Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.

When completed, a log will open in Notepad. The rogue application should now be gone if it was detected and will be outlined in the log.

[Small_Button class=”lightblue”] Remove Malware [/Small_Button]  

How to identify if your DNS Settings are malformed

We have provided a few different instructions. 2 options for PC users and 1 easy option for Mac users to detect if DNS IP address are shutting down come July 9t. Click here to automatically scroll to the Mac instructions.

Included are free DNS IP addresses to make the switch.

Window’s Command Prompt instructions:

The difference between the two provided Window’s options is that the first option will detail information about your IP using the FBI website: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS and the second option will detail your IP by browsing your operating system. Both options will eventually lead to repairing your DNS, which is described as running ncpa.cpl.
Both options are used for users experiencing different types of connectivity issues.

Windows Option 1

Open Window’s Start menu

Type cmd into the box labeled “start search” and press Enter

Type ipconfig /all into the command prompt

Take the IP next to the DNS Servers title (highlighted in the red box) and type those numbers (a.k.a IP) here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS.

The provided FBI website will identify if the DNS IP address is being shut down.

If you are set to obtain DNS Server addresses automatically you could switch your DNS to use Google’s free public DNS.
Google’s free DNS server IPs are:

8.8.8.8

8.8.4.4

Scroll to step
Open DNS free server option:

208.67.222.222

208.67.220.220

Proceed to “Repairing DNS Settings” below option 2.

Windows Option 2

1. Run cmd.exe from the by clicking (Start + R) as follows and press “OK”:

2. Type “ipconfig /all” at the command prompt. In the results look for “DNS Server” as highlighted below and make a note of the DNS addresses. Please note that the remaining fields have intentionally been blanked out.

Continue below.

Repairing DNS Settings

1. Run ncpa.cpl by clicking (Start + R) as follows (It will open the Network Connections window):
You can also access ncpa.cpl by typing Run into the start menu search field and pressing Enter.

2. Press “OK”. This will bring up “Network connections”. Right-click in your active network connection. That may be Local Area Connection or Wireless Network Connection depending on whether you’re using a cabled or wireless network. Select Properties.

3. This will open the Network Interface Properties page. Click once over the Internet Protocol (TCP/IP) item (likely IPv4), and click on Properties to open the IP and DNS configuration page as shown above.

4. Check if the item “Use the following DNS server addresses” is set, and if it is, make a note of the IP Addresses below. (Or change the IP Addresses circled to 208.67.222.222 and 208.67.220.220 to cut strait to the chase)

Malformed DNS addresses

Compare your DNS server IPs with the list of IP Provided by the FBI:

• 85.255.112.0 through 85.255.127.255
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

5. If your DNS IP falls into any of these ranges, you may be infected with DNS Changer malware and you also may be impacted by the FBI’s Server Shutdown operations.

Free DNS settings

Kaspersky advises that users worried about losing Internet access on Monday, July 9th should manually change their computers’ DNS settings to free DNS-Servers from Google: 8.8.8.8 and 8.8.4.4.
OpenDNS also offers two: 208.67.222.222 and 208.67.220.220, which is also recommended for additional security features.
[Info]How to change DNS settings (Vista TCI/IP) – Windows[/Info]

Mac user instructions:

o Click on the Apple menu icon
o Navigate to System Preferences
o Click Network
o Click your connection, it will show as GREEN
o Click Advanced
o Click the DNS tab (Pictured)

o Copy the IP in he DNS Servers box and type it into the input field on this webpage: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS.

This website, courtesy of the FBI will tell you if the inputted DNS IP is part of the DNS servers which are being shut down.

If you are set to obtain a DNS Server address automatically you could switch your DNS to use Google’s public DNS for the time being.

Google’s free DNS server IPs are:

8.8.8.8

8.8.4.4

Open DNS free server option:

208.67.222.222

208.67.220.220

[Info]How to change DNS settings – Mac OS X[/Info]

Other DNS Setting Hijack Scenarios

There is another possibility where the malware changes the configuration of network devices such as routers and modems that provide DHCP service for automatic network configuration. Several malware variants are known to scan local networks seeking a specific router/ADSL modem models, and would try default logins and passwords to connect to them in order to change the DHCP configuration. In this case, even machines that have not been altered by the malware, but share the same network, will have the rogue DNS configured as well.
Due to the large variety of DNS Changers, it’s impossible to list specific steps to check computer DNS configurations so please refer to your device’s manual in order to check the items below:
• DHCP configuration, specifically the DNS servers that will be offered to the clients
• Your device’s own DNS configuration
Some families of malware are known to create a rogue DHCP server on the network to serve malicious DNS as well.

How to detect and remove DNS Changer malware

If you have been a victim of DNS Changer malware, it’s possible that you are either currently infected or were previously infected. The following are some steps to take in order to detect and remove any active infections on your computer.

Scan for active infections (detect malware)

• Anti-Malware software (Free) – Malwarebytes
• Run McAfee Stinger (Free) – Download Stinger here.

Hitman Pro (32bit and 64bit versions)
Kaspersky Labs TDSSKiller
Microsoft Windows Defender Offline
Microsoft Safety Scanner
Norton Power Eraser
Trend Micro Housecall
MacScan
Avira’s DNS Repair-Tool

Once you have scanned your system, continue to fix your DNS Configuration Settings.

Fixing DNS Server Settings (Using McAfee Stinger)

1. Unzip the downloaded zip file to your local folder. e.g. C:\.
2. Make sure “ Stinger.exe” and “BaitFile” exist in the folder. The “BaitFile” is not a malicious file and installs with Stinger.

3. Run the Stinger as administrator. Right click on the Stinger.exe and select “Run as administrator”.

4. On the Stinger, click on “Add” or “Browse” and specify the folder created in Step1: (C:\).
5. You can select “C:” and click on “Remove” just to scan the “BaitFile”.

6. Click on “ScanNow”.
7. If your DNS IP falls into any of the aforementioned ranges provided by FBI, the Stinger would fix the DNS setting automatically.

8. The Stinger will create the registry backup “TCIP_Registry_Backup.reg”. Users can restore network settings with this file.

9. If your system is not using the aforementioned Rogue DNS servers, the Stinger will not trigger detection.

10. For non-DHCP settings, please contact your network administrator (or network provider) who may assist you to setup DNS settings.
11. Reboot/Restart your computer.

Fixing DNS Server Settings (Manual)

Most organizations have a managed network capable of providing DNS Setting via a DHCP. If you are connected to a corporate network or ISP who may allow Automatic DNS Settings, please use the following steps to reset your configuration.

1. Backup your network settings.
Use the registry editor to take a backup of the registry information under:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP

2. Run ncpa.cpl from the by clicking (Start + R) as follows (It will open the Network Connections window):

3. Hit “OK”. This will bring up “Network connections”. Right-click in your active network connection. That may be Local Area Connection or Wireless Network Connection depending on whether you’re
using a cabled or wireless network. Select Properties.

4. Select “Obtain DNS Server Address Automatically”

How to prevent DNS Changer malware

There’s not much to do to prevent DNS Changer malware from taking place on an unsuspecting victim, but we’ve outlined some prevention recommendations anyways.

• Monitor and block network machines attempting to access one of the rogue DNS servers.
• Create custom rules to protect specific keys:

With the “Obtain the DNS server address Automatically” checked, set Access Protection Rule to protect following keys:
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\DHCPNAMESERVER = {Value Specified}
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\NAMESERVER = {Value Specified}
When the “Use the following DNS Server Addresses” is checked, use Registry Editor to access the following registry key:
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP
Check “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interfaces” key to find your adapters (CLSIDs):

Then set Access Protection Rules for each key below:
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interface\{your CLSID}\DHCPNAMESERVER
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interface\{your CLSID}\NAMESERVER

• Do not use Default username/passwords on your routers or modems. Read more about our password guidelines.

Technical Log Information

Information for experts.
Signs in a HijackThis log:[Normal_Box]

O17 – HKLM\System\CCS\Services\Tcpip\..\{40F4E25A-FA42-41FC-B400-812BFD5879AC}: NameServer = 85.255.115.235,85.255.112.171

O17 – HKLM\System\CCS\Services\Tcpip\..\{D039210B-81E5-4AE2-96D0-2AB20E55C59A}: NameServer = 85.255.115.235,85.255.112.171

O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.235,85.255.112.171

O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.235,85.255.112.171

[/Normal_Box]
Note: The values you find in your log may be different, but it is suggested check if the ones you have in your log are legitimate ones, even if you’re using a router and your log does not appear malformed.