update on my PC woes
Apr. 20th, 2010 01:31 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johncomicMy PC is alive and well, and no re-install of anything was required, no loss of data, etc -- happy ending all round! For the curious among you, what happened (as near as I can gather) was:
my PC was hit with something called Trojan.DNSChanger which changed the static DNS number settings in my wireless router. This in essence creates a backdoor into any machine connected to my network. My anti-malware was able to detect and remove this trojan, but unable to detect or do anything about the DNS settings in my router because it's a separate distinct piece of hardware which doesn't get scanned by them. So these rogue DNS settings allowed the trojan to pop right back in as soon as it was removed -- it was never really gone. These DNS settings also allowed it to control my internet access and create such problems as the Google misdirections, the “unable to connect to anti-malware websites”, etc.
This also meant that when I took my PC into the shop, they couldn't find anything wrong and couldn't duplicate the problems I was having -- because the problem was in my router, not in the PC. Hooked up to a different router, everything was working fine.
Anyhoo, Ken at the shop walked me thru how to locate and fix my DNS settings, and since then all has been peachy. What still puzzles me is why no one else I was dealing with came close to suspecting the true nature of the problem? I'm wondering if this “bug that can attack hardware other than your PC” is a relatively new development in malware. In which case, should I feel honoured to be one of their first test cases?
my PC was hit with something called Trojan.DNSChanger which changed the static DNS number settings in my wireless router. This in essence creates a backdoor into any machine connected to my network. My anti-malware was able to detect and remove this trojan, but unable to detect or do anything about the DNS settings in my router because it's a separate distinct piece of hardware which doesn't get scanned by them. So these rogue DNS settings allowed the trojan to pop right back in as soon as it was removed -- it was never really gone. These DNS settings also allowed it to control my internet access and create such problems as the Google misdirections, the “unable to connect to anti-malware websites”, etc.
This also meant that when I took my PC into the shop, they couldn't find anything wrong and couldn't duplicate the problems I was having -- because the problem was in my router, not in the PC. Hooked up to a different router, everything was working fine.
Anyhoo, Ken at the shop walked me thru how to locate and fix my DNS settings, and since then all has been peachy. What still puzzles me is why no one else I was dealing with came close to suspecting the true nature of the problem? I'm wondering if this “bug that can attack hardware other than your PC” is a relatively new development in malware. In which case, should I feel honoured to be one of their first test cases?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-04-20 06:58 pm (UTC)and
I'm so glad you got it figured out before you wiped out everything.
and
I'm so appreciative of your explaining what the deal was.
Wow.
no subject
Date: 2010-04-20 07:11 pm (UTC)In any event, I've gotten into the habit of peeking at my router settings every so often to make sure they haven't been changed. And I've written down the correct ones in case I need them. So if the problem comes back, I can set it right in seconds.
BTW, it's been several days since the fix and nothing has disturbed my DNS numbers again in that time. I guess it's the sort of bug that can't necessarily find it a piece of cake to get back in once it's been truly routed!
no subject
Date: 2010-04-20 11:17 pm (UTC)no subject
Date: 2010-04-20 08:20 pm (UTC)Not at all. And there is a Mac version of this.
However, there's an important idea left out here. If your wireless router has a strong password required to make admin changes to it, malware installed on your PC won't be able to change the DNS settings there.
Also,
So these rogue DNS settings allowed the trojan to pop right back in as soon as it was removed -- it was never really gone.
Sort of. Even if the router's DNS info remains the same as the malware set it, that doesn't mean your PC can immediately get reinfected. It only means that certain Web sites can be blocked, or you can be steered to certain sites.
Any subsequent reinstallation of the malware would then have to happen via some other security shortcoming.
For instance, the router sends you to a site that then takes advantage of a Java or IE security hole, or you reinstall the malware more directly somehow (perhaps by running software that came from a questionable source, or running an executable disguised as an mp3 or movie).
no subject
Date: 2010-04-20 08:36 pm (UTC)no subject
Date: 2010-04-20 08:54 pm (UTC)• Password-protect your router and do it with a decent password
• Watch what you double-click -- easiest way to get a Trojan installed it to disguise it as an MP3 or some other "file." The executable part can launch, do some nasty business, and then pass an actual MP3 on to a music player. So you never see what it's doing.
You might also think about something like ZoneAlarm, that will track outbound packets (i.e., sent by a Trojan and containing your bank account info), not just inbound packets like a firewall.