07-06-2012 10:39 AM - edited 07-09-2012 05:34 PM
DNSChanger is a type of malware that modifies the DNS (Domain Name System) server settings on the infected computer and redirects the browser to potentially malicious Web sites.
DNS is an Internet service that converts a domain name, or a Web site name that you type in your browser, to an IP address associated to that domain name. When you enter a domain name or a Website name in your Web browser, your computer contacts a DNS server to determine the IP address for the Web site. Your computer then uses this IP address to locate and connect to the Web site.
Usually your ISP provides these DNS server settings for you. However, you can change the settings on your computer or your router to select a DNS server of your choice.
A DNSChanger malware changes the DNS server settings on your computer to use a rogue DNS server. Now when you type in a Web site name, your computer contacts this rogue DNS server to find the IP address. The rogue DNS server then returns an IP address for a fraudulent Web site. Your computer then connects to that fraudulent Web site.
For more information about this malware, read the blog from Symantec Security Response.
The FBI had uncovered a network of rogue DNS servers, and has taken steps to disable it. If the rogue DNS serves are disabled, the victims whose DNS settings are pointing to these rogue DNS networks for DNS service could lose access to DNS services, and cannot access any Web sites.
To address this, the FBI has worked on replacing these rogue DNS servers with clean DNS servers momentarily so that the victims get time to restore the DNS settings on their computers. These clean replaced DNS servers will be taken down on July 9, 2012.
If your computer has been infected by a DNSChanger malware, and is connecting to these DNS servers controlled by the FBI, you may lose the Internet access after July 9, 2012.
Your Norton product detects the threat as SecurityRisk.FlushDNS.
To check if your computer is infected by a DNSChanger malware, run a full system scan with your Norton product. For more information read, Running a virus scan.
Even after you remove the threat from your computer, you need to manually restore the DNS settings on all compromised computers. Your Norton product cannot restore the DNS settings on a compromised computer because there is no way to know what the original DNS settings were.
To check if your computer is using the correct DNS servers, go to the DCWG's Detect page at http://www.dns-ok.us. If the DNS settings are incorrect, you need to check and update them manually on your computers.
DNSChanger has been known to also modify the settings on home routers that maintain the default password configuration. If you're concerned that your router may have been impacted by DNSChanger, first make sure you've resolved your DNS settings on your local machine. If your local machine is not pointing to the DNSChanger IPs, visit the DCWG's Detect page again. If the site still indicates that you are infected, you need to update the DNS settings on your router as well.
You can also use Norton ConnectSafe to reconfigure your DNS. Norton ConnectSafe provides DNS servers that are configured to block unsafe Web sites