DNS Unlocker belongs among so called Potentially Unwanted Applications; its purpose is to display advertisements to the victim. Typically, a computer user affected by DNS Unlocker will see advertisements with a note at the bottom like “Ads by DNS Unlocker” and multiple variations of “support scam” pop-ups.
“DNS hijacking is not that damaging – in comparison to, say, ransomware – and it has always been easy to fix. With the new variant of DNS Unlocker, the latter is no longer true,” comments James Rodewald, ESET Malware Removal Support Supervisor.
ESET experts have found that this DNS Unlocker is able to trick Windows into displaying a different DNS configuration from what it had set as default.
“Within the graphical interface, it appears that you are using an automatically assigned DNS server address when in fact you are using the static ones. In short, this is a DNS hijack which forces the use of hidden DNS servers. This makes the issue quite difficult to solve for typical users,” says James Rodewald.
ESET experts analyzed the trick and identified the underlying issue with how Windows handle these DNS addresses and sent the details to Microsoft on May 10th 2016. The Microsoft Security Response Center (MSRC) acknowledged the problem, but, unfortunately, did not classify it as a security vulnerability. “As modifying the registry requires administrative privileges, we do not consider this to meet the bar for security servicing through MSRC”, the reasoning reads.
“Hopefully, Microsoft will address this issue in future versions of Windows. Until then, users should be aware of the possibility of DNS hijacking,” comments Marc-Etienne Léveillé, an ESET Malware Researcher who participated in the research.
ESET experts came up with a set of preventive measures and also with tips for remediation.
- Don’t surf the web with administrator’s privileges; use them only where necessary
- If you see unexpected advertisements, especially if they offer a “Ads by DNS Unlocker” badge or similar, check your DNS settings in the advanced pane of TCP/IP settings
- If you see a pop-up window with some kind of offer for support, be extremely wary and prior to any other actions, check your DNS settings
- If in any doubt about DNS settings, you can remove the bad DNS entries from the DNS tab of the Advanced TCP/IP Settings page. Scan your computer with ESET Online Scannerto remove the DNS Unlocker malware and to make it stop tampering with your DNS settings.
- Follow all basic rules for the safe use of the internet, including having a quality security solution; ESET Smart Security fully protects from the DNS Unlocker.