Finding the DNS Setting (DNSChanger) Victims

As mentioned in Can You Clean a Virus?, client domain name server setting is a malicious code payload that no vendor reports. This payload consists of specifying explicit domain name server (DNS) addresses.

People do not specify their DNS addresses, as a rule. DNS addresses are delivered by the DHCP server. DNS addresses are managed by their Internet Service Provider (ISP). However, if you do specify explicit DNS addresses, they will quietly override those delivered through DHCP and managed by the ISP.

Consider what a malicious person could do if they managed your DNS server. They learn which addresses you need to resolve; they know what URLs you visit. If you do online banking, they know who your bank is. They can, one day, divert you to a web site that looks like your bank. When you try to logon on, they could give you a plausible error message. Meanwhile, they capture the credentials you attempted to use. They then “correct” their DNS server and make the actual bank web site available. They wouldn’t want their DNS server to be diverting traffic for more than brief periods in a day. Meanwhile, customers think the bank is having problems while customers are giving away their credentials.

In reality, almost all banks have measures in place to prevent this. Less secure web sites do not.

It is easy to correct the problem, once found. See the network adapter’s properties, choose “Internet Protocol (TCP/IP)” and view its Properties. Frequently, “Obtain DNS server address automatically” is specified. If, on the other hand “Use the following DNS server addresses” is specified, it should be an address you can trust. If it is an address that begins with 85.255. (for example), then you have been affected.

It is generally difficulty to find machines that have had their DNS settings modified. Microsoft Systems Management server (SMS) can make this task easy.

By default, sms_def.mof will have SMS_Report of DNSServerSearchOrder set to FALSE. Change it to TRUE; let SMS collect this information.

When you have collected the DNS addresses, you can use a SQL query like the following to learn if there are any unusual DNS server settings:

Note: DNS Hijacking refers to the unauthorized modification of a DNS server or to the ISP’s modification of their DNS server to divert traffic. For example, in 2007, Time Warner diverted traffic intended for bot command and control servers to a site with a script which removed the bot. Exstatica has a compilation of what they observed.

The FBI has made public a step-by-step guide (“DNSChanger Malware”) [pdf] for determining if you have been effected by this malware.

30-Jun-2012: IID DNSChanger information

IID infographic detailing the DNSChanger malware infection.

2 Responses to Finding the DNS Setting (DNSChanger) Victims

  1. […] Suspicious Filenames In Finding the DNS Hijacking Victims, Microsoft Systems Management Server (SMS) and a SQL query were used to find unusual DNS settings. […]

  2. […] Malware can replace the DNS settings with its own settings. When this happens, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who their bank is. The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute a web address of their own choosing. A prompt for user ID and password would collect responses, returning an dummy “access denied” message. This leaves the bad guy with working credentials. Since DNS settings are typically ignored, this payload is typically ignored. Anti-virus software would not detect an “infection” since these are IP addresses, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?“ In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims. […]