ESET Discovers News Strain of DNS Hijacking Malware

Next story

ESET®, a global pioneer in proactive protection for more than two decades today announced it has discovered a new version of the DNS Unlocker malware which can re-configure DNS settings on a victim’s computer to display advertisements.

DNS Unlocker, an example of a Potentially Unwanted Application (PUA), displays ads at the bottom of a user’s screen with a note that reads  “Ads by DNS Unlocker” or multiple variations of “support scam” pop-ups. These messages ask them to take some sort of action, such as calling a certain phone number or entering their user credentials.  

“DNS hijacking is not that damaging – in comparison to, say, ransomware – and it has always been easy to fix,” said ESET James Rodewald, Malware Removal Support Supervisor at ESET. “However, with the new variant of DNS Unlocker, the latter is no longer true.”

ESET experts have found that this DNS Unlocker is able to trick the Windows® operating system into displaying a different DNS configuration from what it had set as default.

“Within the graphical interface, it appears that you are using an automatically assigned DNS server address when in fact you are using the static ones,” said Rodewald. “In short, this is a DNS hijack which forces the use of hidden DNS servers. This makes the issue quite difficult to solve for typical users.”

ESET’s research team analyzed this trick and determined the underlying issue was related to how Windows handles these DNS addresses and sent the details to Microsoft® on May 10, 2016. The Microsoft Security Response Center (MSRC) acknowledged the problem, noting they did not classify the issue as a security vulnerability. “As modifying the registry requires administrative privileges, we do not consider this to meet the bar for security servicing through MSRC,” the response read.

“Hopefully, Microsoft will address this issue in future versions of Windows,” comments Marc-Etienne Léveillé, an ESET malware researcher who participated in the research. “Until then, users should be aware of the possibility of DNS hijacking.”

ESET experts came up with a set of preventive measures users can take and also with tips for remediation should they become a victim of this malware.

  • Don’t surf the web with administrator’s privileges; use them only where necessary
  • If you see unexpected advertisements, especially if they offer a “Ads by DNS Unlocker” badge or similar, check your DNS settings in the advanced pane of TCP/IP settings.
  • If you see a pop-up window with some kind of offer for support, be extremely wary and prior to any other actions, check your DNS settings.
  • If in any doubt about DNS settings, you can remove the bad DNS entries from the DNS tab of the Advanced TCP/IP Settings page.
  • Scan your computer with ESET’s Online Scanner to remove the DNS Unlocker malware and to make it stop tampering with your DNS settings.
  • Follow all basic rules for the safe use of the internet, including having a quality security solution;
    ESET Smart Security fully protects from the DNS Unlocker.

About ESET:
Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedIn, Facebook and Twitter.

Kiley Nichols
(415) 293-2824