How to get DNSChanger out of your router


Today the FBI pulled the plug on malicious servers handling traffic for computers and systems infected with the DNSChanger malware — and, despite months of warnings plenty of people using infected systems have been knocked off the Internet by the shutdown. (Some of the impacted systems are a little embarrassing: the New Jersey transit system was apparently impacted by the shutdown this morning.)

However, even if your Windows PCs are free of the DNSChanger malware (you’ve checked, right?) you may still have lost connectivity thanks to the shutdown. Why? Because the malware, once warmly ensconced on an unsuspecting PC, also included code to detect and attempt to break into any routers it found on the local network. If DNSChanger managed to get into a router, the malware would alter the DNS settings. So, even if DNSChanger gets removed from the original infected computer, the altered DNS settings on a router could mean anything on the local network — including PCs, Macs, smartphones, tablets, game consoles, and smart TVs — could be affected by the DNSChanger shutdown.

How DNSChanger works

ghost click

DNSChanger was the work of the Estonian firm Rove Digital; it first appeared on the Internet way back in 2007, but was still spreading as recently as a few months ago. Instead of acting like spyware or scanning users’ computers for sensitive information, DNSChanger changed DNS server entries in infected computers (and, sometimes, detected nearby routers) to point to rogue name servers under the control of the malware authors, rather than the DNS servers provided by an ISP or organization. The result is that whenever a users of an infected system looked up a site on the Internet (say, or the request was moderated by Rove Digital’s servers — and that let them inject their own advertising into pages retrieved by infected users. That, in turn, generated income for Rove Digital — at its peak, DNSChanger was estimated to have infected move than 4 million computers around the world, and may have generated as much as $15 million in bogus advertising revenue for Rove Digital.

The FBI shutdown means those rogue name servers are now offline. However, any computers or routers that have been impacted by DNSChanger will still try to send lookup requests to them. As of today, they won’t get any answer at all, which means when those computers try to look up, they won’t get an answer — and they won’t be able to connect to the site.

First, check for infection

DNS Changer Check Red

Before looking at your router, first be sure all PCs on your network are free of the DNSChanger malware. The malware is not new, so if you’ve been keeping your virus definitions up to date you should be safe. However, be sure to check all the PCs you use on your local network — even that ancient Windows XP notebook in a closet that you never turn on anymore.

The DNSChanger Working Group had set up detection Web sites that could immediately tell users if they were on a PC (or a network) impacted by DNSChanger, but since the FBI shutdown those have been taken offline. The best way to determine if a PC is infected now is to use an up-to-date computer security package or use one of the free tools available from reputable security vendors like Symantec, Microsoft, Kaspersky, Trend Micro, McAfee, and others to remove the malware. (DNSChanger is a tricky beast: merely re-installing Windows or reverting to a backup isn’t enough to remove it.)

It’s important to be certain all PCs on your network are free of DNSChanger before trying to fix issues with your router: otherwise, an active DNSChanger infection could just mess with your router again.

DNSChanger is Windows-only malware: there’s no need to check for infection on Macs, phones, tablets, consoles, or other non-Windows devices you might have on your network.

Check your router’s DNS settings

When DNSChanger attacks routers, it doesn’t actually infect them — that is, the malware does not install itself on the router and then spread from the router to other devices. Rather, it changes the DNS settings on the routers to send lookup requests through the rogue name servers. So, you want to log in to your router, check the settings, and (if necessary) change them to working name servers;

Unfortunately, the specifics of finding DNS settings for a home router vary widely by ISP and the type of home network you’re using. Many people have very simple home networks, but others are more complicated. (For instance, my home network has four routers on it — and all have bizarre configurations, and virtually nothing on my network uses dynamic addressing.) However, the basics are all the same:

Log in to your router: Nearly all modern routers can be configured using a Web-based interface. For most D-Link and NetGear home routers, users on the local network can access the configuration page here:

Linksys routers are often configured to use:

Most other home routers use one of these two addresses by default; if neither of those addresses work, check the installation information that came with your router or from your ISP.

Find your router’s DNS settings: The Web-based interfaces offered by routers vary widely — and sometimes change significantly with updates. Once you’ve logged in to the router, you typically want to find a page or tab for “Basic Settings,” “Internet settings,” “Internet Setup,” or “WAN settings.” Within that, you want to find entries for “Domain Name Servers,” “DNS Servers,” or “DNS setup.”

Here’s an example from an older LinkSys router:

Linksys router DNS Servers (DNSChanger)

Here’s an example from a recent NetGear router:

Netgear router DNS Servers (DNSChanger)

Your router may be configured to obtain DNS information automatically from your ISP — this is also called “dynamic DNS.” In that case, you don’t need to change anything. (So long as your ISP isn’t infected with DNSChanger or supplying bogus information, you’ll be fine.)

If your router uses manual DNS configuration — or “static DNS” — you should see at least two places to enter DNS servers — these will often be labeled “primary” and “secondary.” (Routers and most other devices are configured to use multiple DNS servers: in case one goes down, they’ll switch to another.) Most likely, these will be expressed in four text fields, one for each part of an IPv4 IP address.

Check the values: Compare the DNS server values in your router to this list: to to to to to to

To see if there’s a match, start from the left-most number in the IP addresses from your router and work your way through the address to the right. For instance, if one of your DNS servers were, you would see that the 64 matches the first address range listed above. Checking further, the 28 matches too! But, the 111 is not within the range from 176 to 191 for the third part of the address, so you’re safe. On the other hand, if your DNS server addresses both start with (say) 205 you don’t need to check any further: no rogue servers were in the 205 address range.

(If you have Internet access, you can also enter your router’s DNS addresses into a lookup service at the FBI’s Web site — it does the same check outlined above.)

Update your DNS servers: If the DNS servers in your router do fall into the ranges above, you need to change them to restore Internet access. Your ISP should have supplied information on how to configure your router, including their recommended DNS servers. Find that information, enter the correct server addresses (there will be at least two!) and save your changes.

If you cannot find your ISP’s DNS server information, you can use Google’s free DNS service as an alternative: enter the addresses and as your primary and secondary DNS servers. Even if you aren’t comfortable sending your DNS queries to Google, using Google’s DNS servers will at least let you get your router back online so you can log in to your ISP’s support area (or contact them directly) to get their preferred DNS servers.

Change your router password

How did DNSChanger alter home routers in the first place? Most routers ship with a default username and password so new users can log into them and set them up when they take them out of the box. Although newer routers have more sophisticated approaches, back when DNSChanger first appeared literally millions of routers were being sent out of factories using only a handful of usernames and passwords. Most home users never changed these credentials — so when the DNSChanger malware found a home router, it would essentially try the default username and password combinations and hope it got lucky.

If your router’s DNS servers were modified by DNSChanger, it probably got in using one of those default passwords. While you’re in the router configuration, change the password and (where possible) username on the router to something more secure. Follow the same rules you would use for any other password: don’t use everyday words, don’t use easily-guessable things like birthdays or the names of relatives or pets, and do use long passwords rather than short ones.


Hacker infects 100K routers in latest botnet attack aimed at sending email spam

An attacker is trying to infect your router with malware in order to send spam emails. If your router uses a Broadcom UPnP SDK, it could become vulnerable to this attack. So far, 100,000 routers worldwide have been infected.

How to change your Gmail password in just a few quick steps

Regularly updating your passwords is a good way to stay secure online, but each site and service has their own way of doing it. Here's a quick guide on how to change your Gmail password in a few short steps.

Want to set up your own virtual private network? Here's how

Take a look at our walkthrough for creating a virtual private network and why it is beneficial for more than just increased privacy and security. We go step by step, detailing how to set up a VPN in both MacOS and in Windows 10.

Common Chrome OS problems, and how to fix them

Is something irking you about Chrome OS? Find your problem on our list of bugs, issues, and general complaints about the OS, along with easy solutions to any issues that might arise.

These Windows 10 keyboard shortcuts will update your OG Windows skills

Windows 10 has many new features, and they come flanked with useful new keyboard shortcuts. Check out some of the new Windows 10 keyboard shortcuts to improve your user experience.

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.

iPhone users are finding themselves randomly locked out of their Apple ID

According to posts on Reddit and Twitter, it looks like users on Reddit and Twitter having some issues with their Apple accounts. Specifically, it seems as though users are getting randomly locked out of their Apple IDs.

Don't know what to do with all your old DVDs? Here's how to convert them to MP4

Given today's rapid technological advancements, physical discs are quickly becoming a thing of the past. Check out our guide on how to convert a DVD to MP4, so you can ditch discs for digital files.

Here’s how to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…

Edit portraits with A.I. and adjust focus in the new ON1 Photo RAW 2019 editor

ON1 Photo RAW 2019 now has a dedicated tab for portraits that automatically recognizes faces to help with retouching. The update also brings a new focus stacking tool, enhancements to layers, and improvements to local adjustments.

Your MacBook can live in the lap of luxury with this leather case

Though there are several cases which we think are best for covering up MacBooks, Twelve South's Journal case is one of the newest available, providing luxurious leather coverage for your Apple laptop.

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.

15-inch MacBook Pro gets more powerful with new AMD Vega GPUs

Confirming Apple's quiet October announcement, new configurations for the top-range 15-inch Apple MacBook laptop are now available, coming complete with AMD Pro Vega 16 or Pro Vega 20 graphics cards on board.
Emerging Tech

Intel’s new ‘neural network on a stick’ aims to unchain A.I. from the internet

To kick off its first developer conference in Beijing, Intel unveiled the second generation of its Neural Compute Stick -- a device that promises to democratize the development of computer vision A.I. applications.