There has been a lot of talk in the news about this DNS Changer worm, and how it will cause people to lose their internet connection on Monday. I wanted to take a moment to clear some things up, as the news basically points you to the FBI’s site (and their information). The link to their information is here.
So, here we go…
Originally there were over 14 million estimated computers infected with these worms. Through the FBI and ISP’s sending out warnings, that number has decreased dramtically. RIght now, in the US, it’s estimated that only 70,000 devices are infected. (Worldwide stats are available from the FBI.) This is why they’re shutting down the servers.
The FBI set up it’s own DNS Servers at the “rogue” IP Addresses, because with so many infected computers, it would have been catastrophic to shut the sites down cold. Imagine waking up to find that over 14 MILLION people have lost internet access suddenly.
Basically what’s happening is this: DNS is like calling directory assistance and getting someone’s phone number. Your browser does this, when it doesn’t know the address (think phone number) of a website. That virus changed those “Directory Assistance” numbers to it’s own set. So it’s as if you were calling a special number for Directory Assistance, and they gave you what numbers they wanted you to dial (not necessarily the number to the person you were calling). Or they gave you a number that would charge your phone bill on their behalf (like using a Phone card to call).
In terms of DNS, your browser would either get sent to an ad site, porn site, or something else, when you typed in a site name. Or if you did a search, it would fake the results of the search with malicious sites (where you could be infected with other viruses), or it would replace the ads on a legitimate site (since your browser had to get the ads from somewhere), with their own ads. It was hinted that the viruses would also capture your passwords, but I haven’t seen anything openly saying that. Although if someone’s infected with any virus, they’ll want to change their passwords after fixing their computer.
** Another common analogy for DNS is like sending a letter through the Post Office, but to be honest, I’m not sure how this would play out in that scenario.
How do you know if you’re infected with the worm?
The easiest way to check your computer is to visit this site for their steps. They have a page which will tell you (via a green or red background on a picture) if you’re infected or not. One drawback is if your ISP “fixes” or alters DNS entries, it may look like you’re clean, when you’re really not.
As for what to check on your computer, here’s what to do:
For Windows Users:
- Click the Start orb, and type cmd in the bottom box (where it says “Search”).
- Click on Command Prompt (or cmd) in the results at the top.
** These instructions are for Windows Vista/7 users mainly. In older versions of windows, it would be the start button, then Run… and type cmd, or (in all versions of Windows) you can also press the Windows Key and the R key at the same time, and type cmd in the “Run…” box that pops up.
- Type in ipconfig /all (or copy and paste from this post).
You’re going to get a lot of information on the screen. What you’re looking for will say something like this:
Local Area Connection (Ethernet)
IP Address: 192.168.x.x (could be something like 192.168.2.100)
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.x.1 or 192.168.x.254 (whatever the IP Address from your modem or router is)
DNS Servers: xxx.xxx.xxx.xxx
*Those are what you’re looking for ***
What the link said to do was look at the first set of xxx’s in each DNS server. If it’s in their table, then look at the second set of xxx’s in each server. If that’s in the table, look at the third set, and so on. If at ANY point, you find a set of xxx’s that’s not listed in their table, you can stop. Even if it’s one number.
Here is the table that they are referring to.
Rogue DNS Servers
18.104.22.168 through 22.214.171.124
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
18.104.22.168 through 22.214.171.124
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
If your DNS Servers are the same as your “Default Gateway” up above, then you need to log into your modem and check them from it. If you have just a modem, then you’ll probably want to call your ISP for help with this. Unless of course, you’ve logged into it enough times that you know what to do. If you have a separate router (like a Linksys, Cisco, or Netgear router for example) that your computer is plugged into, you should be able to go to their site and get information on how to log in. The steps here are general (as the pages and passwords are different for each router).
- In your browser, type in the IP Address for your Default Gateway and hti enter.
- On the screen that comes up, type in the username and password for your router (NOTE** if you haven’t changed these from the default (usually admin for both), YOU NEED TO DO THAT!!!!!!!!!!!)
- You will be presented with the setup screens for your router. You want to look for the DNS information screens (first look at your Status screens, and if the DNS Entries aren’t there (or are the rogue entries) then look for how to configure them).
- If your DNS Entries are the rogue entries in the table, then you need to change them back to “good” ones (or follow whatever steps are needed to have your ISP automatically provide them). Personally, I recommend using Public DNS entries (like 18.104.22.168 and 22.214.171.124 for OpenDNS or 126.96.36.199 and 188.8.131.52 for Google DNS), but it’s your decision whether to use your ISP’s or not.
Apply the changes, and restart your computers after the modem/router restarts. You should be all set for Monday.
For Linux users, you’ll either want to check your /etc/resolv.conf file to see if it has the rogue DNS servers or manually edit your network connections (or router/modem).
And for Mac users, you’ll want to check the instructions from the FBI’s website link.
If your computer is/was infected, you need to take steps to clean it. On the link that I provided above for detecting whether you’re infected, they have links to tools for cleaning your computer. After running these tool(s) and making sure your comptuer is clean, you most defiinitely want to change ALL of your passwords. This goes without saying for any malware that’s on your computer (not just this one).
Good luck, and I’ll see you on Monday (hopefully).
Have a great day:)