Lately, we’ve been seeing a great deal of the Security 2010 malware, the subject of an earlier post. It comes in a number of different flavors but is, so far, removable without major disruption in most cases. It continues to surprise, though, with its clever little wrinkles.
We recently encountered two separate cases of Security 2010 that were, apparently, successfully removed. Yet the users continued to experience frequent browser redirects and tainted search results. Exhaustive examinations of each machine revealed no suspicious executables. Yet in monitoring the IP traffic, we could see the computers consistently connecting to an address in Eastern Europe immediately before each redirect. How this was happening was a mystery. On a hunch I checked some settings and solved the mystery. The solution actually turned out to be simple. The malware had manually reset DNS primary and secondary values to the aforementioned Eastern European address.
DNS stands for Domain Name Server, and Domain Name Servers are the giant databases that resolve the familiar domain names (e.g. www.yahoo.com) into IP addresses (e.g. 188.8.131.52), which actually define addresses in cyberspace, and which the many routers that make up the Internet actually understand. Each time you type in a web address into your browser or click on a link, your computer must contact a Domain Name Server to turn that collection of words into an IP address. And each time my customers’ computers attempted to connect to a requested address, the computers would contact the rogue Domain Name Server, which would then falsely resolve the domain name to another unrelated site. Presumably, the owners of the redirecting website were paying the rogue DNS for the redirects. In a way you have to admire their entrepreneurial spirit.
In this case, simply setting the DNS values to default (Obtain DNS address automatically) solved the problem. This setting, the most commonly used, allows your router or Internet Service Provider to connect you to a default DNS.