The Latest in IT Security

DNSChanger ‘temporary’ DNS servers going dark soon – is your computer really fixed?


DNSChanger, a piece of malware that re-routed vast swaths of Internet traffic through rogue DNS servers after users became infected, was shut down by the FBI late last year. But since simply shutting down the servers altogether would’ve ‘broken’ many hundreds of thousands of computers still infected – rendering it difficult for them to get help via the Internet – the FBI and ISC orchestrated a temporary fix, which is set to end on June 9th. The temporary fix would allow infected computers to stay connected, but that’s coming to a close. Now Google has rolled out a program where users will be notified that “you might be infected” when they try to use Google and they detect your computer trying to reach the temporary DNS servers. But is it possible to have your computer only ‘halfway fixed?’

If, for example, you used a tool to remove the malware, would it necessarily restore the DNS settings you had before the infection, or would it just eliminate the infection and still leave your traffic re-directing to the soon-to-be-closed temporary DNS servers? If you want to check, you can open up your network interface settings (wired and/or wireless) and look at your DNS settings. While your Operating System may be different, on Windows 7 you can check it by viewing the Properties tab for your interface like:

Then selecting IPv4 Properties from the next dialog box like:

Here you’ll see a tab for DNS settings like:

Usually this means you’re okay, and that your DNS is getting its settings from your router/switch/access point, and you should be fine, except that DNSChanger has also been noted to modify the settings on router/switch/access points, so even though your computer may not be telling you to visit rogue places, your router still may. We check if this is the case by opening up a command prompt (Windows 7: Start button -> Search programs and files -> type “cmd” and hit Enter) and tracing the network up to a known good host, in this example we’ll check by typing ‘tracert’ like:

Notice my connection makes a few hops before getting to the Internet, as you can see by the IP addresses starting with 192.168. – a non-publicly-routable address. Yours might vary a bit here, but 192.168.x.x addresses are very common on internal networks, as are 172.x.x.x and 10.x.x.x networks, so those are normal. Also you can see the last line telling you it hopped directly from my internal DNS servers on my routers to Google’s website. You can verify this by typing (or whatever yours says, it will probably be different) directly into your browser and seeing if you see, you should. If, on the other hand, you see any of the following ranges of IP’s while using tracert:

  • –
  • –
  • –
  • –
  • –
  • –

You’ve got problems and need to fix your computer/router. If your router has been compromised, the damage can be more far-reaching, because then all the computers (including mobile devices which are Wi-Fi enabled) on this network will point to servers which soon won’t work, because your local DNS is directing them to places it shouldn’t. Don’t worry, there’s still time to fix it now that you know, but don’t wait, you’ll have to get it fixed before the June 9th cutoff, or devices on your network won’t be able to reach vast swaths of the Internet, making it difficult to get help online.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments