One of the more widespread malware efforts over the past few years was the DNSChanger scam, which installed a Trojan horse that would change the DNS server settings on affected computers to divert traffic to rogue servers.
The DNS system is essentially the Internet’s phone book that allows your computer to resolve a URL to the IP address of the server that hosts its contents. By changing a computer so that it uses a rogue DNS server, the DNSChanger malware was thus able to redirect valid URLs (such as those for banking institutions) to malicious Web sites in order to steal personal information.
This malware effort was cross-platform, and was suspected to have affected millions of PC and Mac systems worldwide, over half a million of them being in the U.S. Overall it raked in millions of dollars for the thieves behind it, until last November when the FBI in cooperation with several foreign governments carried out Operation Ghost Click, arresting several alleged perpetrators and officially ending the scam.
Because numerous PC systems were found with altered DNS settings that pointed to the rogue DNS servers, authorities responsible for Operation Ghost Click decided to leave the rogue DNS network intact and just convert it to run as a legitimate DNS system. As a result, any PC still infected with the DNSChanger malware would start resolving URLs properly again.
This fix made the situation easy for computer users with the malware installed, since their systems would now work properly. However, this will soon change. Earlier this month, the German Federal Office for Information Security issued a press release (German) stating that converted DNS servers will be shut down on March 8.
That means that any system that was infected and is still configured with the rogue DNS servers will not be able to access the Internet and will give error messages about not being able to resolve host names. Hence, these systems will have to be cleared of the DNSChanger malware and have their DNS settings reconfigured.
The easiest way to check whether your system has been configured with a rogue DNS by the DNSChanger malware is to enter your DNS server’s IP address on the FBI’s DNS IP checker Web page. To look up your DNS address, go to the Network system preferences in OS X, select your active network connection (AirPort or Ethernet), and click the Advanced button. Then choose the DNS tab and see the list of IP addresses in the DNS Servers list.
An alternative way to view the DNS settings is to open the Terminal utility and type in the following command:
networksetup -getdnsservers “Wi-Fi”
This command will show the DNS servers that are being used for your Wi-Fi connection, but you can change the word “Wi-Fi” to “Ethernet” or to the name of any other network service (listed in the Network system preferences).
If your DNS IP address checks out and is valid, then you have nothing to worry about. However, if the site reports that the IP address is a compromised one, then your best bet is to download and run a malware scanner that can detect and remove the DNSChanger malware, such as Sophos Antivirus, Norton AntiVirus, or Intego VirusBarrier. After the malware has been removed, go to the DNS settings in your system preferences (see above), and remove any IP addresses from the server list.
Some later versions of the DNSChanger malware were able to change routers’ settings in addition to computers’ settings, so if you are unable to remove the IP addresses because they are grayed out, then go to your router’s configuration and remove any custom DNS entries from it. After doing this, disconnect your system from the network and reconnect to establish a new configuration from the router.