DNSChanger – Last Call on Cleanup

Here we are. It’s the last call on DNSChanger cleanup. On Monday, the Fbi-run replacement DNS servers are coming down because the court-ordered extension is coming to an end, and your systems may using these servers for resolution. There are a set of sites that may unreliably help you identify whether your machine or router continues to maintain DNS settings to the “DNSChanger” operators’ servers. This unreliability is partly because upstream major internet backbone providers have created unintended confusion, and partly because of poor/ineffective web-side detection implementations.

In the US, 60k hosts are reported to require that their DNS settings remain to be changed. How many of those systems are truly “infected”? No one knows. And, the number could be inflated. It could be that none of these systems are infected. Or all of them could be infected. Perhaps all LAN-side systems behind home and corporate routers, or systems cleaned of malware that may still maintain artifacts of this infection, continue to use Rove Digital servers for DNS resolution.

In other words, it doesn’t mean you have pneumonia, but you still have a cough. And it makes you extraordinarily more likely to get sick again. Some vendors’ products, like here at Kaspersky, have been detecting the artifact DNSChanger settings on effected machines and offering to reconfigure these settings to a set of “clean” DNS servers. This DNS reset routine is presented by Kaspersky Endpoint Security 8.0 and 2010+ home products with this popup for “Trojan.Multi.DNSChanger.Gen”:

Just click on “Yes” and your system’s DNS settings will be reconfigured to use DHCP-assigned or clean, open DNS services. After host-side reconfiguration, it still would be interesting to visit the www.dns-ok.us sites to find out if your home router is still maliciously configured.

Read more: DNSChanger – Last Call on Cleanup