How to check if your DNS Server was hacked

Post initially published in Avira Techblog.

You must have heard already about the already “famous” malware DNSChanger which manipulates the DNS settings of the computer in order to silently direct the users to malicious websites.

FBI and others took action against this malware and in November 2011 have managed to break the botnet. According to FBI, more than 4 million computers were affected world-wide. The thieves manipulated DNS entries in order to block antivirus programs and the operating systems to update delivering this way even more malware on users’ computers. The DNSChanger malware was used also to redirect users to rogue servers controlled by the fraudsters, allowing them to control users’ web activity and generate income through online advertising. When FBI shut down the botnet, they also replace the servers which were directing to malicious domains with valid DNS servers.

So, if the botnet is shut down why all this trouble?

FBI will deactivate those new valid DNS servers on March 8, 2012.

If your computer was infected at some point in time and it was using one of the DNS servers which are now controlled by FBI, after March 8, it will no longer be able to make any DNS requests through these servers. In layman’s terms, you will no longer be able to browse the web, read emails and do everything you usually do on Internet. So, it is mandatory that the DNS settings of the computer are restored to their original state.

After an infection with DNSChanger malware, until now it was needed to restore the settings manually. Here are tutorials in German and in English.

With the Avira DNS-Repair tool released (press release in German only) on Friday, January 20,  you can revert to the default settings of Windows only with a few clicks.

You can download the tool free of charge from the Avira Support’s Knowledge Base website in German and in English.

Avira cooperated also with the German Federal Office for Information Security (BSI) and published the tool also on the special website created to check if the DNS requests are made to the right places: Note that on this website you see the link to the Avira DNS-Repair-Tool only if it is detected that your system is affected by the malware.


© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: