Kaseya Community

How to detect if an agent was infected with DNSChanger malware?

  • How to detect if an agent was infected with DNSChanger malware with an Agent Procedure?

    Is there any simple way to do it?

  • Procedure Detect DNSChanger Infected - 2.xml
    I've created an Agent Procedure to detect if an agent is using the rogue dns server because of infection with DNSChanger
    Please refer to the attached for the agent procedure.
     
    - Once we visit to " http://www.dns-ok.us/, if the color is green it's ok with the comments of "Your computer appears to be looking up IP addresses correctly". But if the color is red it's infected with the comments of "Your computer is using the DNS Changer nameservers and is therefore probably infected"
    - I just used Get URL and save it as a txt in a working directory. and stored all contents as a variable and compare if it contains following "Your computer appears to be looking up IP addresses correctly"
    - One more thing is that I created a custom field as a "cDNSChangerInfected" first, and add a command of "Update System Info" in the procedure with a value of "Infected or Safe (Not Infected)".  
     After run a procedure, we can see the result in the agent status menu with a "cDNSChangerInfected" custom field selection.
    OR we can create a View with a proper value in the advanced agent data filter.
     
    Please have a look at the attached for the agent procedure.
     
    Paul
  • Since Jul.9, the website of http://www.dns-ok.us has not been working for checking if an agent is using roue dns server. But http://www.dcwg.org/ is still supporting to check it. So please just change the source of Get URL as "http://www.dcwg.org/" and the string option of Check Variable as "If you are reading this page, it means you are NOT infected with DNS Changer" in the attached agent procedure posted above.