DNSChanger Information

Back to Main Page

DNSChanger Malware

The Domain Name System (DNS) works like a telephone book for the internet, changing domain names into numerical Internet Protocol (IP) addresses. When you enter a domain name (such as 'www.staysmartonline.gov.au') into your web browser, the computer contacts the DNS servers to find the IP address that corresponds to the domain name (for example, 172.16.254.1).

Your computer then uses this IP address to connect to the website you are looking for. The DNS servers you use are usually operated by your Internet Service Provider (ISP) and form part of the network which connects your computer to the internet.

Without the DNS and DNS servers, you would not be able to access websites, send e-mail, or use many other internet services.

Criminals have learned that if they can control DNS servers, they can control which sites a user connects to on the internet. By controlling a user's DNS, a criminal can cause an internet user to unknowingly access fraudulent or malicious content, or otherwise interfere with a user's web browsing.

One way criminals do this is by infecting computers with a type of malicious software (malware) called DNSChanger. The DNSChanger malware replaces a user's DNS settings with settings that connect to 'rogue' DNS servers.

In November 2011, the FBI closed down a ring of cyber criminals who are believed to have been responsible for the worldwide spread of DNSChanger. An estimated four million users were affected worldwide. The FBI worked with the Internet Systems Consortium (ISC) to set up and operate a correct, temporary DNS solution so that these users would not lose their internet access when the malicious DNS servers were taken down.

This temporary DNS solution gives users infected with DNSChanger the opportunity to remove the infection before the temporary solution was switched off on 9 July 2012. As a consequence, most users affected by DNSChanger after this date are unable to access internet services.

What DNSChanger does to your computer

DNSChanger alters your computer's DNS settings to replace your 'default' DNS settings with settings that connect to the rogue DNS servers. DNSChanger also attempts to access devices on your network such as your router and change their DNS settings so that they connect to the rogue DNS servers.

This means that all the computers on your network can be affected by DNSChanger, even if they are not directly infected with the malware.

Manually checking whether a computer is infected by DNSChanger

To manually diagnose whether a computing device is affected by DNSChanger, you will need to check the device's DNS settings and the settings of any wireless access point or routers used by the device. The FBI provides the following instructions (PDF) for checking the DNS settings on a range of operating systems and some basic instructions, primarily for users of Microsoft Windows, are also provided in Removing DNSChanger and restoring correct Domain Name System settings.

You may also wish to seek advice from a computer professional to assist you in diagnosing and removing DNSChanger.

A list of the DNS settings associated with the rogue DNS servers is provided below - if a computer is using one or more of these settings, it is very likely to be affected by DNSChanger.

'Rogue' DNS server settings

BetweenAnd
85.255.112.085.255.127.255
67.210.0.067.210.15.255
93.188.160.093.188.167.255
77.67.83.077.67.83.255
213.109.64.0213.109.79.255
64.28.176.064.28.191.255

DNS Server IP Check Form

Enter the IP address of the DNS server you wish to check



Checking your Router

Routers allow your network of computers and devices to connect to your ISP. You may have purchased and installed a router yourself, or one may have been provided by your ISP.

If your router is still using the default username and password provided by the manufacturer you should check its DNS settings, as DNSChanger may have changed these settings. The instructions for changing the DNS settings will vary by manufacturer, so you should read the instructions for your particular router.

You should compare your router's DNS settings to the 'rogue' DNS server settings provided above. If your router is using one or more of these settings, a computer on your network may be infected with DNSChanger.

Tools for Removing DNSChanger

If you determine that you are infected by DNSChanger, or are unsure if you are infected, a number of internet security software companies supply repair tools intended to detect and remove the DNSChanger malware.

This is an incomplete list of tools and resources that may help with DNSChanger detection and removal:
These tools are not guaranteed to remove a DNSChanger malware infection, and no tool is entirely effective in removing all variants of the DNSChanger malware.

More information

This DNSChanger Diagnositic is a joint Australian Government initiative between: