How to get DNSChanger out of your router


Today the FBI pulled the plug on malicious servers handling traffic for computers and systems infected with the DNSChanger malware — and, despite months of warnings plenty of people using infected systems have been knocked off the Internet by the shutdown. (Some of the impacted systems are a little embarrassing: the New Jersey transit system was apparently impacted by the shutdown this morning.)

However, even if your Windows PCs are free of the DNSChanger malware (you’ve checked, right?) you may still have lost connectivity thanks to the shutdown. Why? Because the malware, once warmly ensconced on an unsuspecting PC, also included code to detect and attempt to break into any routers it found on the local network. If DNSChanger managed to get into a router, the malware would alter the DNS settings. So, even if DNSChanger gets removed from the original infected computer, the altered DNS settings on a router could mean anything on the local network — including PCs, Macs, smartphones, tablets, game consoles, and smart TVs — could be affected by the DNSChanger shutdown.

How DNSChanger works

ghost click

DNSChanger was the work of the Estonian firm Rove Digital; it first appeared on the Internet way back in 2007, but was still spreading as recently as a few months ago. Instead of acting like spyware or scanning users’ computers for sensitive information, DNSChanger changed DNS server entries in infected computers (and, sometimes, detected nearby routers) to point to rogue name servers under the control of the malware authors, rather than the DNS servers provided by an ISP or organization. The result is that whenever a users of an infected system looked up a site on the Internet (say, or the request was moderated by Rove Digital’s servers — and that let them inject their own advertising into pages retrieved by infected users. That, in turn, generated income for Rove Digital — at its peak, DNSChanger was estimated to have infected move than 4 million computers around the world, and may have generated as much as $15 million in bogus advertising revenue for Rove Digital.

The FBI shutdown means those rogue name servers are now offline. However, any computers or routers that have been impacted by DNSChanger will still try to send lookup requests to them. As of today, they won’t get any answer at all, which means when those computers try to look up, they won’t get an answer — and they won’t be able to connect to the site.

First, check for infection

DNS Changer Check Red

Before looking at your router, first be sure all PCs on your network are free of the DNSChanger malware. The malware is not new, so if you’ve been keeping your virus definitions up to date you should be safe. However, be sure to check all the PCs you use on your local network — even that ancient Windows XP notebook in a closet that you never turn on anymore.

The DNSChanger Working Group had set up detection Web sites that could immediately tell users if they were on a PC (or a network) impacted by DNSChanger, but since the FBI shutdown those have been taken offline. The best way to determine if a PC is infected now is to use an up-to-date computer security package or use one of the free tools available from reputable security vendors like Symantec, Microsoft, Kaspersky, Trend Micro, McAfee, and others to remove the malware. (DNSChanger is a tricky beast: merely re-installing Windows or reverting to a backup isn’t enough to remove it.)

It’s important to be certain all PCs on your network are free of DNSChanger before trying to fix issues with your router: otherwise, an active DNSChanger infection could just mess with your router again.

DNSChanger is Windows-only malware: there’s no need to check for infection on Macs, phones, tablets, consoles, or other non-Windows devices you might have on your network.

Check your router’s DNS settings

When DNSChanger attacks routers, it doesn’t actually infect them — that is, the malware does not install itself on the router and then spread from the router to other devices. Rather, it changes the DNS settings on the routers to send lookup requests through the rogue name servers. So, you want to log in to your router, check the settings, and (if necessary) change them to working name servers;

Unfortunately, the specifics of finding DNS settings for a home router vary widely by ISP and the type of home network you’re using. Many people have very simple home networks, but others are more complicated. (For instance, my home network has four routers on it — and all have bizarre configurations, and virtually nothing on my network uses dynamic addressing.) However, the basics are all the same:

Log in to your router: Nearly all modern routers can be configured using a Web-based interface. For most D-Link and NetGear home routers, users on the local network can access the configuration page here:

Linksys routers are often configured to use:

Most other home routers use one of these two addresses by default; if neither of those addresses work, check the installation information that came with your router or from your ISP.

Find your router’s DNS settings: The Web-based interfaces offered by routers vary widely — and sometimes change significantly with updates. Once you’ve logged in to the router, you typically want to find a page or tab for “Basic Settings,” “Internet settings,” “Internet Setup,” or “WAN settings.” Within that, you want to find entries for “Domain Name Servers,” “DNS Servers,” or “DNS setup.”

Here’s an example from an older LinkSys router:

Linksys router DNS Servers (DNSChanger)

Here’s an example from a recent NetGear router:

Netgear router DNS Servers (DNSChanger)

Your router may be configured to obtain DNS information automatically from your ISP — this is also called “dynamic DNS.” In that case, you don’t need to change anything. (So long as your ISP isn’t infected with DNSChanger or supplying bogus information, you’ll be fine.)

If your router uses manual DNS configuration — or “static DNS” — you should see at least two places to enter DNS servers — these will often be labeled “primary” and “secondary.” (Routers and most other devices are configured to use multiple DNS servers: in case one goes down, they’ll switch to another.) Most likely, these will be expressed in four text fields, one for each part of an IPv4 IP address.

Check the values: Compare the DNS server values in your router to this list: to to to to to to

To see if there’s a match, start from the left-most number in the IP addresses from your router and work your way through the address to the right. For instance, if one of your DNS servers were, you would see that the 64 matches the first address range listed above. Checking further, the 28 matches too! But, the 111 is not within the range from 176 to 191 for the third part of the address, so you’re safe. On the other hand, if your DNS server addresses both start with (say) 205 you don’t need to check any further: no rogue servers were in the 205 address range.

(If you have Internet access, you can also enter your router’s DNS addresses into a lookup service at the FBI’s Web site — it does the same check outlined above.)

Update your DNS servers: If the DNS servers in your router do fall into the ranges above, you need to change them to restore Internet access. Your ISP should have supplied information on how to configure your router, including their recommended DNS servers. Find that information, enter the correct server addresses (there will be at least two!) and save your changes.

If you cannot find your ISP’s DNS server information, you can use Google’s free DNS service as an alternative: enter the addresses and as your primary and secondary DNS servers. Even if you aren’t comfortable sending your DNS queries to Google, using Google’s DNS servers will at least let you get your router back online so you can log in to your ISP’s support area (or contact them directly) to get their preferred DNS servers.

Change your router password

How did DNSChanger alter home routers in the first place? Most routers ship with a default username and password so new users can log into them and set them up when they take them out of the box. Although newer routers have more sophisticated approaches, back when DNSChanger first appeared literally millions of routers were being sent out of factories using only a handful of usernames and passwords. Most home users never changed these credentials — so when the DNSChanger malware found a home router, it would essentially try the default username and password combinations and hope it got lucky.

If your router’s DNS servers were modified by DNSChanger, it probably got in using one of those default passwords. While you’re in the router configuration, change the password and (where possible) username on the router to something more secure. Follow the same rules you would use for any other password: don’t use everyday words, don’t use easily-guessable things like birthdays or the names of relatives or pets, and do use long passwords rather than short ones.

Editors' Recommendations