DNSChanger Diagnostic
You do not appear to be affected by DNSChanger
Your system does not appear to be affected by the DNSChanger malware.
What is DNSChanger?
DNSChanger is a class of malicious software (malware) that changes a user's Domain Name System (DNS) settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with access to internet services. It has been associated with 'click fraud', the installation of additional malware and other malicious activities.In November 2011, the FBI closed down a ring of cyber-criminals believed to be responsible for the worldwide spread of DNSChanger.
An estimated four million users were affected worldwide. To avoid these victims losing access to internet services, the FBI worked with the Internet Systems Consortium (ISC) to set up and operate a temporary but correct DNS solution, while giving ISPs the opportunity to assist their customers to remove their potential infection.
This temporary solution was switched off at 2pm AEST on 9 July 2012.
In most cases, if you have managed to load this webpage after this date, you are very unlikely to be affected by DNSChanger, as you would have been unable to load the webpage if you were affected. However, there are some potential circumstances in which you may be still affected by DNSChanger, as described below.Note for Telstra customers
Telstra has established a temporary network solution to ensure that Telstra customers who are affected by DNSChanger will continue to be able to browse the internet after 9 July 2012. Further advice from Telstra on DNSChanger is available at www.telstra.com.au/protectionTelstra has configured its network so that in almost all cases if you are affected by DNSChanger and visit this website, dns-ok.gov.au, after 2pm AEST 9 July you will receive a red 'You appear to be affected by DNSChanger' diagnosis. So the fact you have landed on this green 'You do not appear to be affected by DNSChanger' webpage means you are very unlikely to be affected by DNSChanger.
A note about potential 'false negatives'
It is possible that your network administrator or internet service provider (ISP) is transparently rerouting or otherwise modifying your DNS traffic. This action may have been taken to negate the effects of DNSChanger, through providing you with an ongoing ability to access the internet after 9 July 2012. (The ACMA is not aware of any Australian ISPs other than Telstra undertaking this action - see note above for how this redirection affects Telstra customers.)In such cases it is possible that one or more of your computing devices are infected by DNSChanger but this website provides you with a green 'You do not appear to be affected by DNSChanger' diagnosis.
If your DNS is being rerouted or modified, it is still possible to perform a manual check of whether your computing device remains affected by DNSChanger, and is still using the 'rogue' DNS settings installed by this malware. For more information on how to do this, refer to the FBI DNSChanger document (PDF) below and also the General information about DNSChanger on this website.
Advice for internet users still affected by DNSChanger after 9 July 2012
A basic document providing advice on Removing DNSChanger and restoring correct Domain Name System settings has been prepared to assist internet users affected by DNSChanger. It has been prepared for those internet users affected by DNSChanger after 9 July, when the ISC temporary DNS servers are no longer operational to enable online remediation assistance.If you are affected by DNSChanger we recommend that you print out or save this document to your personal storage device so that it will be accessible without internet connectivity. You may also wish to print out or save the more detailed FBI DNSChanger document (PDF) to assist you regain access to internet services.
-------------
1
Removing DNSChanger and restoring correct Domain Name System settings
Did your internet service stop working on the 9th of July? If so, there is a possibility that one of more of your computing devices is affected by malicious software (malware) known as DNSChanger. If so, this may have caused your loss of access to internet services.
In some cases DNSChanger may have caused your internet services—such as web browsing—to operate significantly slower than previously. If you think this is happening to you, you should read this document.
This document provides you with general guidance about how to:
check whether you have lost internet access or had your internet access significantly slowed down as a consequence of DNSChanger;
configure your Domain Name System (DNS) settings appropriately to enable ongoing internet access; and
remove DNSChanger.
Background
This document has been prepared by the Australian Communications and Media Authority (ACMA) and CERT Australia. It also draws upon advice about DNSChanger provided by the DNS Changer Working Group (DCWG) and its members.
The guidance provided in this document is primarily intended for Australian internet users that have been infected by DNSChanger malware and remain affected by this malware after 9 July 2012.
As there are multiple variants of DNSChanger malware affecting internet users—and DNSChanger can affect any internet user irrespective of the type and version of operating system they are using—this advice will not cover all system installations. However, we believe the guidance in this document will assist the majority of Australian internet users affected by DNSChanger after 9 July 2012.
What is DNSChanger?
DNSChanger is a class of malware that changes a user's Domain Name System (DNS) settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with access to internet services. It has been associated with 'click fraud', the installation of additional malware and other malicious activities.
In November 2011, the FBI closed down a ring of alleged cyber-criminals believed to be responsible for the worldwide spread of DNSChanger. At this time the number of internet users affected by DNSChanger was estimated to be around half a million.
To avoid these infected users losing access to internet services, the FBI worked with the Internet Systems Consortium (ISC) to set up and operate a temporary but correct DNS solution. This was done to
2
provide internet users affected by DNSChanger the opportunity to remove this malware and restore appropriate DNS settings.
Why is the significance of the ‘9 July 2012’ date?
The temporary DNS solution operated by the ISC was switched off at 2pm on 9 July 2012 (AEST). As a consequence, many internet users affected by DNSChanger have been unable to access internet services after this date.
Some users affected by DNSChanger may still be able to access internet services—such as browsing websites—but their services will be operating very slowly. This is because some versions of operating systems will revert to previous DNS settings if the more recent settings are not available for use, and will do this on each occasion a webpage is visited, significantly slowing down the speed of web browsing for affected users.
Note for Telstra customers
Telstra has each established a temporary network solution to ensure that their customers affected by DNSChanger will continue to be able to browse the internet after 9 July 2012. Telstra has also established ongoing mechanisms to inform their customers they are affected with this malware post 9 July 2012.
If a Telstra customer visits dns-ok.gov.au after 9 July 2012 the website will continue to perform an automatic diagnosis to test whether or not they are infected by DNSChanger.
Further advice on Telstra’s action on DNSChanger is available at www.telstra.com.au/protection.
Basic test for internet connectivity
As it is possible that your lack of access to internet services may be unrelated to DNSChanger—such as intermittent or ongoing lack of internet connectivity—we recommend that you undertake the following steps to test for internet connectivity.
Open your internet browser. Type ‘165.191.2.20’ into the browser address line, as in the following example:
Once you have hit ‘enter’, if your internet connectivity is working the ACMA’s website should load.
3
If the ACMA website did not load, it is probably a good idea to test another IP address: ‘173.194.68.100’.
This should load the Google search page, as follows:
Entering an IP address directly into your browser’s address bar means that there is no need to resolve a domain name to an IP address, so it bypasses the DNS servers that enable this correlation to occur.
Even if you are affected by DNSChanger these webpages should load.
However, If neither of these pages loaded, it is likely that there is some problem with your internet connectivity that is unrelated to DNSChanger. The ACMA recommends that you obtain technical advice to resolve this issue.
You could also wait a few hours, reboot your modem, and try entering these IP addresses again. This may help identify circumstances where there is an intermittent network problem affecting your internet connectivity rather than a DNSChanger infection.
The following steps apply if you have been able to establish internet connectivity.
How to restore correct DNS settings on your computer
1. Because DNSChanger alters your DNS settings, the quickest way to get back online is to manually update your computer’s DNS settings to known safe values. One way to do this is to configure your
4
DNS settings to use Google’s public DNS. See the section Changing your DNS settings to use Google’s public DNS below.
2. If Changing your DNS settings to use Google’s public DNS did not work, your internet access problem may have a different cause, as mentioned in the Basic test for internet connectivity section above.
3. If you were able to restore your access to the internet, the next step is to remove the DNSChanger malware. The dns-ok.gov.au website offers a number of different tools that you can use to try and remove DNSChanger. If you don’t remove DNSChanger after updating your DNS settings, the changes made to these settings will be lost the next time you shut down or reboot your computer. You will then have to manually re-enter the DNS settings to gain access to internet services.
4. Once you believe your system is clean and no longer contains the DNSChanger malware, reboot your machine. If you can no longer gain effective access to the internet, DNSChanger probably hasn’t been fully removed. Go back to step 1, and try a different DNSChanger removal tool from dns-ok.gov.au.
Changing your computer’s DNS settings to use Google’s public DNS
The Google Public DNS IP addresses are as follows:
8.8.8.8
8.8.4.4
You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.
Many systems allow you to specify multiple DNS servers, to be contacted in a priority order. In the following instructions, we provide steps to specify only the Google Public DNS servers as the primary and secondary servers, to ensure that your setup will correctly use Google Public DNS in all cases. Note: Depending on your network setup, you may need administrator privileges to change these settings.
The following advice applies to Microsoft Windows users only. More detailed instructions for restoring appropriate DNS settings, including instructions for Apple computer users, are provided at http://www.fbi.gov/DNS-changer-malware.pdf.1
DNS settings are specified in the TCP/IP Properties window for the selected network connection.
1 This url will need to be accessed from a computing device not affected by DNSChanger.
5
Example: Changing DNS server settings on Microsoft Windows 7
1. Go to the Control Panel.
2. Click Network and Internet, then Network and Sharing Center, and click Change adapter settings.
3. Select the connection for which you want to configure Google Public DNS. For example:
o To change the settings for an Ethernet connection, right-click Local Area Connection, and click Properties.
o To change the settings for a wireless connection, right-click Wireless Network Connection, and click Properties.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4. Select the Networking tab. Under This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
5. Click Advanced and select the DNS tab. If there are any DNS server IP addresses listed there, write them down for future reference, and remove them from this window.
6. Click OK.
7. Select Use the following DNS server addresses. If there are any IP addresses listed in the Preferred DNS server or Alternate DNS server, write them down for future reference.
8. Replace those addresses with the IP addresses of the Google DNS servers:
o 8.8.8.8 and/or
o 8.8.4.4.
9. Restart the connection you selected in step 3.
10. Test that your setup is working correctly; see Testing your new settings below.
11. Repeat the procedure for additional network connections you want to change.
Testing your new settings
To test that the Google DNS settings are working:
1. From your browser, type in a web address (such as http://www.google.com). If the website loads, the new DNS settings are working correctly. If not, go to step 2.
2. Undertake the actions described in the Test for internet connectivity section above. Note: If you wish to restore the original DNS settings provided to you by your internet service provider (ISP) rather than Google’s DNS settings, please contact your ISP to obtain these.
6
Checking your router
Routers allow your network of computers and devices to connect to the internet through your ISP’s network. You may have purchased and installed a router yourself, or one may have been provided by your ISP.
If your router is still using the default username and password provided by the manufacturer or supplier you should check its DNS settings, as DNSChanger may have changed these settings.2 The instructions for locating and changing the DNS settings of your router will vary by manufacturer, so you should read the instructions for your particular router.
You should compare your router's DNS settings to the 'rogue' DNS server settings provided below. If your router is using one or more of these settings, a computer on your network may be infected with DNSChanger.
'Rogue' DNS server settings — settings installed by DNSChanger malware
Between
And
85.255.112.0
85.255.127.255
67.210.0.0
67.210.15.255
93.188.160.0
93.188.167.255
77.67.83.0
77.67.83.255
213.109.64.0
213.109.79.255
64.28.176.0
64.28.191.255
2 Using the default password provided by the router manufacturer is considered very poor security practice. Irrespective of whether you are affected by DNSChanger, you should change the password to a secure password. Further information on this issue is provided at http://www.staysmartonline.gov.au ,in Factsheet 16 – Securely configuring your broadband modem/router
-----
Source : http://www.dns-ok.gov.au/DNSChanger_removal_advice.pdf
0 comments:
Post a Comment