Our Support department has noticed a significant increase in the number of people that have had their DNS settings hijacked. Not only on their computers, but on their routers as well. For some background information on DNS hijacks, please read “DNS Hijacks: What to Look For”.
How does it work?
In a typical home setup, we have:
- A modem provided by your Internet Service Provider (ISP) which is your connection to the outside world.
- A router that distributes the internet connection across all the devices (often wireless).
- The devices like your laptop, phones, tablets and IoT (internet of Things) devices such as TV’s, temperature sensors and security cameras.
Note 1: Sometimes the modem provided by your ISP also functions as a router.
When one of the devices (in this case, a Windows machine like a laptop) gets infected, the malware connects to the router and tries a few default login credentials to log in on the router. If it succeeds, it then tries to change the settings for the DNS servers on the router. At this moment, this particular hijacker attempts to change them to the IP address of their own server.
How can I prevent it?
To prevent the malware from logging in on your router you should at least alter its default password. Here you can find a list that was compiled with the default credentials for most routers. One word of warning: make sure you are changing the login password of the router and not the wireless network name (SSID) or you will have to re-connect all your devices to the newly named connection. Changing the password does not affect any of the other devices. You only need it when you want to make changes to your router’s settings.
The first step is to find out how to log in to your router. The method outlined here should work in most cases. If it does not, you may want to have a look at the Help/Support pages of your router manufacturer or your ISP, if they have provided the router.
Use the (Windows key + R ) key combination to open the “Run” dialog and type cmd in the “Run” box and click “OK”. If necessary click on cmd(.exe) in the resulting list. This will open the Command Prompt. In the Command prompt type ipconfig and use the “Enter” key to execute the command.
In the results, find the IP address listed behind “Default Gateway” for the connection you’re interested in.
In this example the IP you are looking for is 192.168.0.1
Next, type the IP in your browser address bar, if necessary preceded by http://
Following our example, surf to http://192.168.0.1
As a result you should be presented with a login screen. If the default login is not shown there and you don’t know it, use this list to find yours. Or if that doesn’t work, and your router is provided by your ISP, contact them instead. Sometimes they ship the routers with predefined settings. If so, they usually have some information about those settings on their Support/Help pages.
Note 2: Most routers have a web browser-accessible administrator page that you can log in to in order to access the router’s configuration settings, but sometimes this can’t be done wireless, in which case you will need to make a cabled connection.
How do I clear this mess?
If you are confronted with this problem, you have probably been looking forward to this part. But to access your routers’ settings menu you will have to be able to log in, so that part is relevant even if you don’t want to change your password.
Once you are logged in look for the DNS settings or look at the appropriate guide for your router using one of the links posted in the section below. If you can’t find or don’t like the DNS servers provided by your ISP, you can find alternatives here.
One of the options listed there is OpenDNS, who happen to offer instructions for many routers. Again, if your router is not listed there or in the list below, setuprouter.com is a good source of information. If you can’t figure out how to change the DNS settings on your router or you need internet access during the change, it is good to know that the DNS settings of the end devices overrule the settings in the router. You can find excellent instructions on how to do that for many devices on How-To Geek.
And then there is the cache. If all your troubles so far seem to turn out unrewarded, don’t give up yet. You will probably have to clear your cache(s). First and always necessary to clear is the Windows/IE cache.
To accomplish this, use the combination of (Windows key + R) > type cmd in the Run box > right-click on cmd.exe and choose “Run as Administrator”. In the resulting command prompt, type ipconfig /flushdns and press Enter. Note the space between ipconfig and /flushdns.
Other browsers usually only use a very short-term cache, but I have listed some options to use in cases a simple close and re-start of the browser is not enough.
- Chrome: open a tab and put chrome://net-internals/#dns in the address bar. Then click the “Clear host cache” button that you see there.
- Opera: open a tab and put browser://net-internals/#dns in the address bar. Then click the “Clear host cache” button that you see there.
- Firefox: has no built in method as far as I know, but there is an add-on called DNS-Flusher that supposedly does the trick.
Also, some routers (NetGear and D-Link models among others) have the option to cache DNS themselves. I have been unable to find one where resetting the router and leaving it off for at least 30 seconds did not clear the cache, but feel free to correct me.
And if all else fails, you can always try the full power cycle:
- Turn off your computer.
- Turn off your modem and router (if you have one), then wait for about 15 seconds.
- Plug in your modem, then wait for 1-2 minutes.
- Plug in your router (if you have one), then wait for 1-2 minutes.
- Turn on your computer.
List of links with user-guides for the most popular routers:
- Linksys: http://pcsupport.abo…lt-password.htm
- TP-Link: http://www.tp-link.com/en/faq-191.html
- Asus: http://portforward.c…ssword/Asus.htm
- Netgear Nighthawk: http://kb.netgear.com/…-nighthawk-router
- Linksys: http://www.linksys.c…ticleNum=139791
- D-Link: http://www.dlink.com…my-access-point
- Siemens: http://setuprouter.com/router/siemens
More can be found here: http://setuprouter.com
Note 3: Despite the text written on the site above the list saying it’s about routers, you will find many ISP’s listed there as well.
Recommendations
After you have altered your password and your DNS servers, there are some more security measures you should check if you have them in place:
- Wireless security. Don’t let anyone access your network. WPA2 is recommended, but anything is better than nothing, even WEP.
- Disable WPS. If you ever need it only use it to connect the device at that time and then disable it again.
- Keep the firmware of your router updated. Most routers have a setting to update automatically.
Resources:
- http://portforward.com/
- http://setuprouter.com/
- https://support.opendns.com/forums/21618374-Router-Configuration-best-for-home-use
- http://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/
- http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm
Pieter Arntz