Just to correct the terminology here: this is a DNS checker, it will
not find a virus, it will only check if your DNS has been compromised. Hijacking the DNS is as old as the Internet itself. There are several ways a hacker can do this, but primarily its either editing your HOSTS file found in "%windir%\system32\drivers\etc\" or manually editing the DNS lookup in your connection settings.
DNS stands for "Domain Name Server". A DNS is is a lookup computer that takes a Domain Name, eg.
www.google.com and gives back it's Internet Protocol address, or IP. So when you enter
www.google.com your computer asks the DNS what IP is that, and will go to the IP designated for that name.
The HOSTS file is a text file which can be opened in notepad.
A clean HOSTS file will have
only this line: -
(Note that anything after a # is a comment that the computer ignores.)
I use a custom hosts file from
here for ad blocking. Note my KR post on this
here.
If your computer cannot find the name of the server in the HOSTS file, it then goes to ask the DNS for the IP. In my case (and in 99% of others) my modem is my DNS lookup. Now my modem is not a DNS per se, but it carries the request to my ISP's DNS.
This is my computer's internet connection properties: -
This is my modem's DNS: -
The direct IP lookup of my ISP's DNS of 211.29.152.116 shows that it is legitimate,
here.
There are sites like
www.OpenDNS.com which can speed up your DNS lookup, protect you from fake sites and can also provide web content filtering - note though, if your HOSTS file
or your DNS definition is compromised then this will not help.
There is a specific application used by security experts called
Hijack This! which was written to deal with these issues.
You can do your own check from within a command prompt.
If you enter "ping /a
www.google.com" you should see this: -
Code: Select allC:\>ping /a www.google.com
Pinging www.google.com [74.125.237.16] with 32 bytes of data:
So the IP of
www.google.com according to my DNS is 74.125.237.16 of which an IP lookup tells me is legitimate
here. Note that you may get a different IP as Google has many, many servers; and your DNS may try for a server nearer you.
(The /a tells the ping command to resolve the address.)
There is another form of hijacking though that it helps to be aware of. It is called pharming and it's where the hacker actually hacks the DNS itself and thus compromises your lookup from offsite. My ping check above will reveal that if that's the case.
The reason why hackers hijack your lookup is so that when you go to enter any personal or confidential information then they are privvy to it. How it works is when you request a page, the hacker's website (which you unwittingly got redirected to) does the lookup of the site you want, and provides it's information to you, even spoofing the address bar of the browser. It only acts as a broker or a go-between, but all the while it is gleaning your information.
If anyone issues a "security alert" on the KR forums expect them to be vetted by a security expert.
