DNS Changer Infrastructure and TDSS/Alureon/TidServ/TDL4 Malware (Update)
Date: 9 Nov 2011
A court order to extend the deadline has been approved. The Internet Systems Consortium will continue operating the replacement DNS until 9 July 2012.
For more information, please visit the following: http://www.dcwg.org/
This product provides information and mitigation advice to IT Security Specialists and potential victims of DNSChanger malware. Its goal is to assist with the detection and mitigation of the risks of such malware.
Recently, the FBI uncovered a network of Domain Name System (DNS) servers controlled by cyber criminals. The FBI worked in collaboration with international law enforcement agencies and the cyber security community to disable these malicious DNS servers. Unfortunately, this malicious infrastructure has been used for over 3 years to steal personal information from millions of people around the world. Cyber criminals managed to infect these users'computers with malicious code that changes the users' DNS configurations to forward all their web content requests to a rogue DNS rather than a legitimate one. As DNS is necessary for most internet activities, the FBI implemented a plan for a trusted private-sector, non-government entity to operate and maintain a clean DNS server for the infected victims until they can be identified and notified. The IP addresses of potentially affected systems will be provided to the appropriate ISP and Computer Emergency Response Teams (CERTs) for victim notification.
The FBI public announcement can be found here: http://www.fbi.gov/DNS-malware.pdf
- UPDATE -
The cyber security community website on DNSChanger can be found at: http://www.dcwg.org/
Under the U.S. District Court Order currently in place, Internet Systems Consortium (ISC, http://www.isc.org/) was authorized to install, monitor and administer replacement DNS for the victims until the 8 March 2012. At this date, it is expected that victims from the DNSChanger malware associated with this operation could lose Internet connectivity, because DNS is necessary for common use.
An extension request has been submitted and is pending approval before the U.S. Court for ISC to operate replacement DNS until 9 July 2012, which is referenced at:
The Canadian Internet Registration Authority (CIRA) is hosting a web-based tool to detect whether Internet users are affected by associated DNSChanger malware. This tool can be found at:
About DNSChanger malware
DNSChanger malware causes a computer to use rogue DNS servers instead of a legitimate one which is generally provided by the ISP. Such malware changes a computer's DNS server settings and attempts to access networking devices on the victim’s small-office or home (SOHO) network that run a DHCP server (eg. a “router” or “home gateway”) using common default user names and passwords and, if successful, change the associated DNS configuration. The latter technique may impact all computers on the home/small-office network even if they are not directly infected.
The recently uncovered infrastructure leveraged a malware known as TDSS, Alureon, Tidserv or TDL4 by the antivirus community. This malware has significant capabilities to evade detection and resist removal. These capabilities have also been repeatedly updated and improved by the malicious actors. This malware changes a number of registry keys and values to make sure it is always restarted every time the victim computer operates. A version also infects an area of the computer hard drive called the Master Boot Record (MBR). This drive sector is typically the first to be accessed by a computer before loading the operating system. For this reason, malicious code infecting the MBR requires special intervention to be successfully removed.
In order to determine if a computer was infected with this vairant of DNSchanger malicious code, a user may perform the following steps:
Identify your computer DNS settings:
- Go to start menu
- Select Run...
- Type : cmd.exe [press ENTER]
- Type in the black command window: ipconfig /all [press ENTER]
Search for the line written: "DNS Servers". Often, 2 or 3 IP addresses are identified.
- Go to System Preferences
- Select Network
- Select the connection used for internet access (typically AirPort or Ethernet)
- Select Advanced
- Select the DNS tab
Verify if the DNS server IP addresses used by the computer match ranges used by the rogue DNS servers below. Compare numbers left to right. If the computers DNS IPs do not start with 85.255.*.* or 67.210.*.* or 93.188.*.* or 77.67.*.* or 213.109.*.* or 64.28.*.* , the computer is not affected by this variant of DNS changer malware.
Known Malicious DNS Server IP ranges:
- 126.96.36.199 through 188.8.131.52
- 184.108.40.206 through 220.127.116.11
- 18.104.22.168 through 22.214.171.124
- 126.96.36.199 through 188.8.131.52
- 184.108.40.206 through 220.127.116.11
- 18.104.22.168 through 22.214.171.124
C) Home Router
The DNSChanger malware is also capable of changing the DNS settings of some Small office/home office routers that kept their default username and password as provided by the manufacturer. Common Small office/home office routers brand include Linksys, D-Link, Netgear, and Cisco. These routers may also have been installed by your ISP. Consult the product documentation to verify whether the default password is used and if DNS settings include entries matching the malicious DNS servers IP ranges provided above. If it is the case, a computer within the network network may be infected with the DNSChanger malware.
- UPDATE -
D) Consult the CIRA detection tool at:
The DNSChanger may, in addition to redirecting a user's browser to potentially untrusted sites, also affect the ability of a computer to obtain operating system and anti-virus updates. This significantly increases the risk that the affected computer could also be affected by other malware. Users who believe their computer may be infected should consult a reputable computer professional. Prior to attempting recovery, it is recommended to copy valuable files such as important documents, photos, videos, music, and other files on a dedicated media (external drive, CD, DVD). Once backed up, these files and the associated media will remain untrusted (potentially infected) until rigorously scanned with a reputable and updated anti-virus product. Review the following information which may help with the recovery process:
1) From a non-affected computer, consult the following malware removal guidelines found in CCIRC TR11-001: http://www.securitepublique.gc.ca/prg/em/ccirc/2011/tr11-001-eng.aspx
2) Consult the following resources and tools on TDSS/tidserv/TDL4/Alureon:
Technical Analysis of similar malware:
Tools (if used, follow vendor instructions):
- UPDATE -
Tool for MAC OS:
Additional Tool for Windows OS:
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118