A few days ago the German government advised internet users to check DNS server settings on their computers. The advice is related to the botnet takedown called Operation Ghost Click which was led by the FBI in November 2011.
The botnet was made up of more than 4 million computers in more than 100 countries. The computers are infected with malware called DNSChanger. This Trojan changes the DNS settings of the computer and allowed the botnet owners to redirect web browser requests. With these redirects, the botnet owners were able to manipulate internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.
Rogue DNS Servers
In November 2011 the FBI seized the rogue DNS servers and replaced them with legitimate servers in the hope that users who were infected will not have their Internet access disrupted. But these servers will be kept online until March 8, 2012.
The replacement DNS servers recorded 33.000 computers in Germany that are still contacting the rogue DNS servers. This number was large enough for the German government to issue the nationwide advice.
To facilitate the nationwide DNS check, the German government launched the website: dns-ok.de
If you go to the website and your computer uses rogue DNS server settings then you see this page:
The page offers a link to botfrei.de which provides DE-Cleaner software which helps users to get rid of the DNSChanger infection (and other malware).
DE-Cleaner comes in three flavors provided by: Avira, Kaspersky and Symantec. A multi-vendor approach, just like HitmanPro.
The problem with the DE-Cleaner software is that they do not detect or repair rogue DNS server settings: they leave it up to the user.
Using rogue DNS server settings is as bad as it gets. Nothing on the internet can be trusted: login information and credit data will be stolen. Its a matter of time (DNSChanger is proof of this). So it is of utmost importance that the computer uses proper DNS server settings. Hence the German call for a nationwide DNS check.
Since DNS is extremely important, HitmanPro scans the DNS server settings of each network adapter in the computer. HitmanPro validates the DNS setting against blacklists and lists the corresponding adapter when its DNS server settings are deemed malicious. A repair of the DNS server setting is then offered, free of charge.
Besides DE-Cleaner, most Antivirus products do not check the DNS server settings of the computer. The reason for this is beyond anybody’s guess. HitmanPro 3 checks the DNS server settings since its incarnation and provides a convenient way for the average computer user to get rid of the malware and repair DNS server settings in just one single pass.
Since the DNSChanger botnet was made up of more than 4 million computers, with 500.000 computers in the US and 33.000 in Germany, there are a lot more computers that still use the rogue DNS server settings. So run a scan with HitmanPro before March 8, 2012 or you might not be able to use the internet – the FBI will shutdown the replacement DNS servers on that day.
We have made a video to illustrate the whole proceedings:
Note: we’ve made the video with Hitman Pro 3.5 as this version supports the German language.