DNSChanger is a malware (malicious software or virus) that can change the DNS settings of users’ Internet connection and replace it’s healthy DNS records with rogue DNS servers operated by the hackers / cyber criminals.

The malware may affect the functioning of antivirus programs installed on users’ computer and cal badly interrupt DNS dependent services.

How much worse DNSChanger could be?

As of FBI, DNSChanger malware causes a computer to use rogue DNS servers in the following ways:

  • It changes the computer’s DNS server settings and replaces the ISPs healthy DNS entries with rogue (bad) DNS servers entries that are controlled by cyber criminals.
  • It attempts to access devices on the victim’s small office / home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the healthy DNS servers of these devices to rogue DNS servers operated by the criminals. This may impact all computers on the SOHO network, even if those computers are not infected with the malware.

FBI adds:

In addition to directing your computer to utilize rogue DNS servers, the DNSChanger malware may have prevented your computer from obtaining operating system and anti-malware updates, both critical to protecting your computer from online threats. This behavior increases the likelihood of your computer being infected by additional malware. The criminals who conspired to infect computers with this malware utilized various methods to spread the infections. At this time, there is no single patch or fix that can be downloaded and installed to remove this malware. Individuals who believe their computer may be infected should consult a computer professional.
Individuals who do not have a recent back-up of their important documents, photos, music, and other files should complete a back-up before attempting to clean the malware or utilize the restore procedures that may have been packaged with your computer.

If your ISP relies on the rogue DNS Network to operate, there are 90% chances that your computer / network is infected by DNSChanger malware and this malware can cause a big loss since it blocks anti-malware updates and gives cyber criminals a way to control your Internet activities.

How to detect DNS Changer Malware?

Is my computer infected by DNSChanger Malware? Visit Dns-ok.us to check if your computers or internet network is infected by DNSChanger Malware or not. If it returns ‘DNS Resolution = GREEN‘, you need not to be worry (but be safe, keep checking from time-to-time), any other color in the DNS resolution means your computer or network is affected by DNSChanger malware.

dnschanger lookup

You can also detect it manually by comparing your DNS entries with the range of rogue DNS servers given below:

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

Checking the Router: The DNSChanger malware is capable of changing the DNS server settings within SOHO routers that have the default username and password provided by the manufacturer. If you didn’t change the default password at the time the SOHO router was installed, you must change them immediately.

Accessing router configuration settings may vary manufacturer-by-manufacturer, so you should contact your ISP support or see the product documentation. Once you have access to the Router configuration, compare the DNS servers listed to those in the rogue DNS servers list above. If your SOHO router is using one or more of the rogue DNS servers, a computer on your network may be infected with DNSChanger malware.

If you find your DNS Server records lying in the range of above given DNS servers, it means your computer or network is infected by DNSChanger Malware and you need to pay serious attention to remove it completely.

How to remove DNSChanger Malware?

If you find your computer or router using the rogues DNS server records, immediately change them to the Google DNS or OpenDNS:

Google DNS:

  • 8.8.8.8
  • 8.8.4.4

OpenDNS:

  • 208.67.222.222
  • 208.67.220.220

Currently, there is no patch or permanent fix is available for DNSChanger malware, so you need to focus on the below given prevention measures to avoid the malware:

Tips to avoid DNSChanger malware threat

  • Keep track of DNS settings of your computer and router to avoid the automatic changing of your DNS settings caused by a sudden malware attack.
  • Make sure your computer has an up-to-date antivirus program to ensure your system is protected from the malware threat.
  • If using a network of computers, check all of the terminals for the rogue records.
  • Avoid following unsolicited and untrusted web links in emails. Be careful while opening email attachments.
  • Change the default passwords of your Internet connection and Router.
  • If you’re not able to access internet, this may be pointing towards the existence of rogue DNS records on your network. So, check back and remove those rogue records.
  • See this page for utilities to remove DNSChanger Malware.

In case if you don’t have a professional adviser to deal with the virus, the only thing your should do is backup all of your important data on a different disk and format your computer.

Social Media services like Facebook and Google+ have initiated to alert people about the malware. You may be receiving a warning about the malware when logging into these services, but this doesn’t means that you have a malware infected system, the warning is just for an alert.