As a bit of an extension from an earlier post, I’d just like to reiterate the importance of changing the default login information for your router (or your customers’ routers). I’ve seen another uptick in DNS-Changer/DNS Hijack activity which includes the modification of router DNS settings to include malicious IP addresses, most of which hail from within the Russian Federation.
There is an easy way to correct this. For starters, obviously, you need to ensure your router isn’t infected. If the DNS settings have been changed, blank them out, then follow it up with a new username/password for your router. It doesn’t need to be anything complex; even simply changing it to anything else will do the trick. The malware responsible aren’t brute forcing the passwords or anything like that; they’re simply leveraging knowledge of the default login info for each router model to weasel their way into the settings and add their own DNS information.
It also goes without saying that all client PCs need to be clean before making the change, lest the settings will be reversed by any active malware on the network after you change them. It is possible to change the login info first, and then blank out the DNS settings if you’re unsure which machine is causing problems and you just wish to prevent propagation of the malware/further information theft. But this must be done from a clean machine.
Many ISPs will warn users if they’re affected by such DNSChanger infections. By cleaning the malware off the PCs and checking the routers, you can ensure the problem is resolved. However, there is one final setting to check:
HKLM\System\ControlSet001\Services\Tcpip\Parameters\\DhcpNameServer
This registry value will often be modified to include the same malicious DNS servers. Be sure to check it on each machine, lest a clean machine can quickly become infected once again!