How to know if your computer is hit by a dnschanger virus?

The Federal Bureau of Investigation (FBI) is on the final stage of its Operation Ghost Click, which strikes against the menace of the DNSChanger virus and trojan. Infected PCs running the DNSChanger malware at unawares are in the danger of going offline on this coming Monday (July 9) when the FBI plans to pull down the online servers that communicate with the virus on host computers.

After gaining access to a host PC, the DNSChanger virus tries to modify the DNS (Domain Name Server) settings, which are essential for Internet access, to send traffic to malicious servers. These poisoned web addresses in turn point traffic generated through infected PCs to fake or unsafe websites, most of them running online scams. There are also reports that the DNSChanger virus also acts as a trojan, allowing perpetrators of the hack attack to gain access to infected PCs.

Google issued a general advisory for netizens in May earlier this year to detect and remove DNSChanger from infected PCs. According to our report, some 5 lakh PCs were still infected by the DNSChanger virus in May 2012.

The first report of the DNSChanger virus and its affiliation with an international group of hackers first came to light towards the end of last year, and the FBI has been chasing them down ever since. The group behind the DNSChanger virus is estimated to have infected close to 4 million PCs around the world in 2011, until the FBI shut them down in November.

In the last stage of Operation Ghost Click, the FBI plans to pull the plug and bring down the temporary rogue DNS servers on Monday, July 9, according to an official announcement. As a result, PCs still infected by the DNSChanger virus will be unable to access the Internet.

How do you know if your PC has the DNSChanger virus? Don’t worry. Google has explained the hack attack and tools to remove the malware on its official blog. Trend Micro also has extensive step-by-step instructions to check if your Windows PC or Mac is infected by the virus.

The article is found at http://www.thinkdigit.com/Internet/Google-warns-users-about-DNSChanger-malware_9665.html

How do I check if my computer is one of those affected?


Solution 1:

There are many sites that will help you to perform a test. Here a list published by the FBI: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

Solution 2:

What are DNS Changer viruses?

DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. For example, google.com is actually an IP address (173.194.38.164). DNS makes it easier for us to remember the site names. DNS servers convert the domain names into IP addresses.

Now the malware, changes the domain name servers used by your computer and uses a different malicious DNS server. This malicious DNS server, swaps IP's and takes the user to a fake site.

enter image description here

Now if you log in to any of your accounts in the fake site, then your log in information is compromised. That's how the malware steals Credit Card details from the user.

The State of affairs now

The FBI have taken control of the bad DNS servers and have been running it as an legitimate server. Now they want to bring it down. If they shutdown the server, then you will not be able to browse the web. That's why you have to check your DNS servers and make sure that you do not have an infected one.

Checking to see if you are using a BAD DNS server

This site will show you if you are using a bad DNS server.

  • http://www.dns-ok.us/ Edit : Looks like the site is down, you will have to manually check.

If you are using a bad DNS server

Please change your passwords and other private stuff as it might have been compromised. There are several ways to fix your computer, see the page below.

  • http://www.dcwg.org/fix/

Solution 3:

Fortunately the rougue servers have been taken down, but now make @HackToHell's links no longer working. Here's an alternative to checking to see if you're computer is infected:

For Windows:

  1. Open command prompt (Win+R then type in CMD and then Enter ↵)
  2. Run the following command and examine the results:

    ipconfig /all | find /i "dns server"
    

    DNS server in use

  3. If it reads something other than your router or ISP's DNS Server, then you might be affected. For sure you should compare to the following IP Addresses and if it matches then you're affected.:

    enter image description here

For Mac

  1. Open Terminal and run the following command to see your DNS Settings: networksetup -getdnsservers Wi-Fi or Ethernet or any other connection device depending on the type of connection you're using
  2. Check for the same values as above.

Note: that this the the same as looking in your Network preferences pane (thanks @DanielBeck):

enter image description here

enter image description here

For Linux

  1. Open Terminal and run the following command to see your DNS Settings: ifconfig /all
  2. Check for the same values as above.

Make sure to check ALL your networking devices including routers.