As mentioned in Can You Clean a Virus?, client domain name server setting is a malicious code payload that no vendor reports. This payload consists of specifying explicit domain name server (DNS) addresses.
People do not specify their DNS addresses, as a rule. DNS addresses are delivered by the DHCP server. DNS addresses are managed by their Internet Service Provider (ISP). However, if you do specify explicit DNS addresses, they will quietly override those delivered through DHCP and managed by the ISP.
Consider what a malicious person could do if they managed your DNS server. They learn which addresses you need to resolve; they know what URLs you visit. If you do online banking, they know who your bank is. They can, one day, divert you to a web site that looks like your bank. When you try to logon on, they could give you a plausible error message. Meanwhile, they capture the credentials you attempted to use. They then “correct” their DNS server and make the actual bank web site available. They wouldn’t want their DNS server to be diverting traffic for more than brief periods in a day. Meanwhile, customers think the bank is having problems while customers are giving away their credentials.
In reality, almost all banks have measures in place to prevent this. Less secure web sites do not.
It is easy to correct the problem, once found. See the network adapter’s properties, choose “Internet Protocol (TCP/IP)” and view its Properties. Frequently, “Obtain DNS server address automatically” is specified. If, on the other hand “Use the following DNS server addresses” is specified, it should be an address you can trust. If it is an address that begins with 85.255. (for example), then you have been affected.
It is generally difficulty to find machines that have had their DNS settings modified. Microsoft Systems Management server (SMS) can make this task easy.
By default, sms_def.mof will have SMS_Report of DNSServerSearchOrder set to FALSE. Change it to TRUE; let SMS collect this information.
When you have collected the DNS addresses, you can use a SQL query like the following to learn if there are any unusual DNS server settings:
SELECT COUNT(*) AS 'Count', v_GS_NETWORK_ADAPTER_CONFIGUR.DNSServerSearchOrder0 AS 'DNS ServerSearchOrder' FROM v_GS_NETWORK_ADAPTER_CONFIGUR Group by DNSServerSearchOrder0
Note: DNS Hijacking refers to the unauthorized modification of a DNS server or to the ISP’s modification of their DNS server to divert traffic. For example, in 2007, Time Warner diverted traffic intended for bot command and control servers to a site with a script which removed the bot. Exstatica has a compilation of what they observed.
The FBI has made public a step-by-step guide (“DNSChanger Malware”) [pdf] for determining if you have been effected by this malware.