After our previous blog entry about DNSChanger, Botfrei took the opportunity to test HitmanPro against DNSChanger malware and HitmanPro’s ability to repair Rogue DNS server settings.
In their test, HitmanPro failed to detect a Rogue DNS server setting and this of course got us wondering: what is going on?
Botfrei dropped a malware sample in their test environment and the malware changed the DNS server setting to 220.127.116.11 (as can be seen in this screenshot).
If you cross reference this IP with the Rogue DNS addresses mentioned in the FBI document (on page 5) you’d notice that this IP does not belong to Operation Ghost Click.
To confirm this we’ve changed our DNS server setting to the aforementioned IP and went to dns-0k.de. This website is set up by the German government and can be used to see whether your computer was/is infected with DNSChanger malware.
The result while using the Rogue DNS server setting can be seen in the following picture:
So both FBI and German government confirm the IP is not part of the Rogue DNS servers that were in use by DNSChanger.
But there is more …
Because HitmanPro apparently failed their test, Botfrei advises at the bottom of their article to use the new Avira-DNS-Repair-Tool which is out since January 23, 2012.
So lets download Avira-DNS-Repair-Tool and give it a go …
Notice that Avira’s brand new tool does not detect a Rogue DNS server setting either!
So the dns-ok.de test site of the German government, HitmanPro and the advised Avira-DNS-Repair-Tool did not detect the apparent Rogue DNS server setting. Why not?
First, the IP is not part of the seized DNSChanger servers at all but belongs to an ISP in Latvia (according to RIPE). Second, if you Google the IP then you mostly get articles dated 2010. So it seems that Botfrei used an old piece of malware to do their tests against.
UPDATE: Looking closer at one screenshot from the test, we can confirm this date as the filename of the sample is:
Since HitmanPro uses IP reputation and blacklist techniques the IP seems no longer to be actively used by malware and hence its reputation is dropped and it is no longer listed in blacklists (currently it is listed in just 1 out of 103 blacklists). This caused HitmanPro to not list the DNS server setting.
It appears Botfrei was in a bit of a rush to advise against HitmanPro and promote Avira’s new tool instead. While in a hurry they (1) used malware that is unrelated to their DNSChanger cleaning campaign and (2) they actually gave advice (Avira’s offering) that confirms HitmanPro’s findings: no Rogue DNS detected.
HitmanPro is a free second opinion malware scanner and very capable of removing DNSChanger malware and repairing Rogue DNS server settings. Don’t take our word for it, take it for a spin. But do make the right assumptions.