How to get DNSChanger out of your router


Today the FBI pulled the plug on malicious servers handling traffic for computers and systems infected with the DNSChanger malware — and, despite months of warnings plenty of people using infected systems have been knocked off the Internet by the shutdown. (Some of the impacted systems are a little embarrassing: the New Jersey transit system was apparently impacted by the shutdown this morning.)

However, even if your Windows PCs are free of the DNSChanger malware (you’ve checked, right?) you may still have lost connectivity thanks to the shutdown. Why? Because the malware, once warmly ensconced on an unsuspecting PC, also included code to detect and attempt to break into any routers it found on the local network. If DNSChanger managed to get into a router, the malware would alter the DNS settings. So, even if DNSChanger gets removed from the original infected computer, the altered DNS settings on a router could mean anything on the local network — including PCs, Macs, smartphones, tablets, game consoles, and smart TVs — could be affected by the DNSChanger shutdown.

How DNSChanger works

ghost click

DNSChanger was the work of the Estonian firm Rove Digital; it first appeared on the Internet way back in 2007, but was still spreading as recently as a few months ago. Instead of acting like spyware or scanning users’ computers for sensitive information, DNSChanger changed DNS server entries in infected computers (and, sometimes, detected nearby routers) to point to rogue name servers under the control of the malware authors, rather than the DNS servers provided by an ISP or organization. The result is that whenever a users of an infected system looked up a site on the Internet (say, or the request was moderated by Rove Digital’s servers — and that let them inject their own advertising into pages retrieved by infected users. That, in turn, generated income for Rove Digital — at its peak, DNSChanger was estimated to have infected move than 4 million computers around the world, and may have generated as much as $15 million in bogus advertising revenue for Rove Digital.

The FBI shutdown means those rogue name servers are now offline. However, any computers or routers that have been impacted by DNSChanger will still try to send lookup requests to them. As of today, they won’t get any answer at all, which means when those computers try to look up, they won’t get an answer — and they won’t be able to connect to the site.

First, check for infection

DNS Changer Check Red

Before looking at your router, first be sure all PCs on your network are free of the DNSChanger malware. The malware is not new, so if you’ve been keeping your virus definitions up to date you should be safe. However, be sure to check all the PCs you use on your local network — even that ancient Windows XP notebook in a closet that you never turn on anymore.

The DNSChanger Working Group had set up detection Web sites that could immediately tell users if they were on a PC (or a network) impacted by DNSChanger, but since the FBI shutdown those have been taken offline. The best way to determine if a PC is infected now is to use an up-to-date computer security package or use one of the free tools available from reputable security vendors like Symantec, Microsoft, Kaspersky, Trend Micro, McAfee, and others to remove the malware. (DNSChanger is a tricky beast: merely re-installing Windows or reverting to a backup isn’t enough to remove it.)

It’s important to be certain all PCs on your network are free of DNSChanger before trying to fix issues with your router: otherwise, an active DNSChanger infection could just mess with your router again.

DNSChanger is Windows-only malware: there’s no need to check for infection on Macs, phones, tablets, consoles, or other non-Windows devices you might have on your network.

Check your router’s DNS settings

When DNSChanger attacks routers, it doesn’t actually infect them — that is, the malware does not install itself on the router and then spread from the router to other devices. Rather, it changes the DNS settings on the routers to send lookup requests through the rogue name servers. So, you want to log in to your router, check the settings, and (if necessary) change them to working name servers;

Unfortunately, the specifics of finding DNS settings for a home router vary widely by ISP and the type of home network you’re using. Many people have very simple home networks, but others are more complicated. (For instance, my home network has four routers on it — and all have bizarre configurations, and virtually nothing on my network uses dynamic addressing.) However, the basics are all the same:

Log in to your router: Nearly all modern routers can be configured using a Web-based interface. For most D-Link and NetGear home routers, users on the local network can access the configuration page here:

Linksys routers are often configured to use:

Most other home routers use one of these two addresses by default; if neither of those addresses work, check the installation information that came with your router or from your ISP.

Find your router’s DNS settings: The Web-based interfaces offered by routers vary widely — and sometimes change significantly with updates. Once you’ve logged in to the router, you typically want to find a page or tab for “Basic Settings,” “Internet settings,” “Internet Setup,” or “WAN settings.” Within that, you want to find entries for “Domain Name Servers,” “DNS Servers,” or “DNS setup.”

Here’s an example from an older LinkSys router:

Linksys router DNS Servers (DNSChanger)

Here’s an example from a recent NetGear router:

Netgear router DNS Servers (DNSChanger)

Your router may be configured to obtain DNS information automatically from your ISP — this is also called “dynamic DNS.” In that case, you don’t need to change anything. (So long as your ISP isn’t infected with DNSChanger or supplying bogus information, you’ll be fine.)

If your router uses manual DNS configuration — or “static DNS” — you should see at least two places to enter DNS servers — these will often be labeled “primary” and “secondary.” (Routers and most other devices are configured to use multiple DNS servers: in case one goes down, they’ll switch to another.) Most likely, these will be expressed in four text fields, one for each part of an IPv4 IP address.

Check the values: Compare the DNS server values in your router to this list: to to to to to to

To see if there’s a match, start from the left-most number in the IP addresses from your router and work your way through the address to the right. For instance, if one of your DNS servers were, you would see that the 64 matches the first address range listed above. Checking further, the 28 matches too! But, the 111 is not within the range from 176 to 191 for the third part of the address, so you’re safe. On the other hand, if your DNS server addresses both start with (say) 205 you don’t need to check any further: no rogue servers were in the 205 address range.

(If you have Internet access, you can also enter your router’s DNS addresses into a lookup service at the FBI’s Web site — it does the same check outlined above.)

Update your DNS servers: If the DNS servers in your router do fall into the ranges above, you need to change them to restore Internet access. Your ISP should have supplied information on how to configure your router, including their recommended DNS servers. Find that information, enter the correct server addresses (there will be at least two!) and save your changes.

If you cannot find your ISP’s DNS server information, you can use Google’s free DNS service as an alternative: enter the addresses and as your primary and secondary DNS servers. Even if you aren’t comfortable sending your DNS queries to Google, using Google’s DNS servers will at least let you get your router back online so you can log in to your ISP’s support area (or contact them directly) to get their preferred DNS servers.

Change your router password

How did DNSChanger alter home routers in the first place? Most routers ship with a default username and password so new users can log into them and set them up when they take them out of the box. Although newer routers have more sophisticated approaches, back when DNSChanger first appeared literally millions of routers were being sent out of factories using only a handful of usernames and passwords. Most home users never changed these credentials — so when the DNSChanger malware found a home router, it would essentially try the default username and password combinations and hope it got lucky.

If your router’s DNS servers were modified by DNSChanger, it probably got in using one of those default passwords. While you’re in the router configuration, change the password and (where possible) username on the router to something more secure. Follow the same rules you would use for any other password: don’t use everyday words, don’t use easily-guessable things like birthdays or the names of relatives or pets, and do use long passwords rather than short ones.


It took Dell years to fix 1 problem on its best laptop. Here’s how it did it

The new Dell XPS 13 moves the webcam from the below the screen to the top, finally vanquishing the one obstacle facing thin, sleek laptop displays. We have the exclusive story on how it was done.

Think someone's leeching off your Wi-Fi connection? Here's how to find out

It's important to find out immediately if anyone is stealing your bandwidth. Here's how to tell if someone is stealing your Wi-Fi using a few simple tools, along with some suggestions on improving security.

Fix those internet dead zones by turning an old router into a Wi-Fi repeater

Is there a Wi-Fi dead zone in your home or office? A Wi-Fi repeater can help. Don't buy a new one, though. Here is how to extend Wi-Fi range with another router you have lying around.

Xbox app lets you access your console while away from home. Here's how

Microsoft's Xbox allows you to access your profile information and launch media content directly from your mobile device. Check out our quick guide on how to connect your smartphone to an Xbox One.

How to use iOS 12’s Passwords and Accounts tool to autofill passwords

Keeping track of all your passwords and accounts can be a real chore. If you use an iPhone with iOS 12, then you don't have to. Here's how to use iOS 12's own password manager to autofill passwords.

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.

‘Flexgate’ is the latest controversy plaguing some MacBook Pro owners

iFixit recently uncovered a new "Flexgate" issue with MacBook Pros after some consumers reported a "stage light" effect, where the backlighting on the device would fail and cause the bottom of the display to become slightly distorted.

Ditch the backdrop from your photos with these handy tools

Need to know how to remove the background from an image? Here's how, whether you prefer to use a premium program like Photoshop or one of the many web-based alternatives currently in existence.

Open RAR files with the greatest of ease using these awesome applications

Few things are more bothersome than not being able to open a file when you need it most. Check out our quick guide about how to open RAR files in Windows and MacOS. We will walk you through the process, step by step.

Google Chrome’s latest decision could prevent most ad-blockers from functioning

Google Chrome's newest change is cited as a step forward for speed and security, but could profoundly alter how the majority of ad-blocking extensions operate. The move potentially gives Google more control over which ads can be blocked.

Samsung permits peek at an eye-popping, 15-inch 4K OLED laptop display

Samsung is now preparing for the new OLED laptop trend and is providing a look at an eye-popping 15.6-inch 4K OLED panel that is expected to power larger premium laptops in the new year.

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.

Latest ransomware targets gamers with a malicious sophistication

The latest piece of ransomware, Anatova, has been discovered by the security team at McAfee. Employing a smart tactic to confuse users and able to clean its tracks as it evolves, this is one tough piece of ransomware.

Are AMD Navi GPUs coming soon? Reference found in MacOS hints at release date

Fresh off the announcement of Radeon Vega VII at CES 2019, in the latest rumors, source code references in macOS hint that the next 7nm AMD Navi products might be coming in July.