DNS Unlocker ads #2

Posted on Thursday, September 17, 2015 by Nicki

In my quest to find the cause(s) for these DNS Unlocker ads, I found Steve Gibson's DNS Nameserver Spoofability Test to test my DNS.

This can identify any DNS issues that could cause these DNS Unlocker ads to be injected into sites you visit.

DNS Unlocker ads

Posted on by Nicki

It seems like DNS Unlocker ads injected into websites you visit is a big issue at the moment. I've seen them on site I visited, some other people I know have also experienced them.

All the resolution links I've seen seems to have the same procedure, and if none of the first couple detection methods work they have a tool to download. Now I've not tried any of those so-called tools, but I have a suspicion that these 'tools' might actually put you in a worse position than what you were in.

How do you get the ads? 
They seem to be injected by a rogue google analytics script. From looking at other sources on the web it looks like DNS poisoning takes place somewhere upstream from my pc, which causes a DNS lookup for www.google-analytics.com to return the address of a rogue server posing as the real thing. This script injects another script from hosts on the dnsqa.me domain, which injects scripts which injects the ads into the page you are viewing.

How do you get rid of it? 
On my machine no actual DNS Unlocker software got installed, and my DNS settings were also not changed. I ran Malware Bytes as well as AdwCleaner to scan for malware, they found a few cookies and cached pages but no actual installed malware that had to be removed. I also did a Reset in Chrome, which clears cache, disables extensions and clears history. After this I still got the ads from time to time. Installing Malware Bytes and activating the 14day Premium trial certainly picks up these rogue scripts and prevents them from being injected. I also installed AdBlock in Chrome and configured it to block all access to *.dnsqa.me and *.google-analytics.com, to prevent the malware from being injected by any of those two avenues.

Other possibilities
If you router still has the default password, it is possible that some application you installed could connect to the router and change the DNS settings. It is also possible that an application can change the DNS settings on your machine itself. Check both these locations to make sure that the DNS settings are configured to use automatic provided values, or if you manually configured DNS servers like OpenDNS, etc that they are still intact. If the DNS on your router was changed, make sure to change the default admin password on your router.

Different Ways to prevent the injection
Install Malware Bytes and active the 14-day Premium trial
Install the AdBlock extension in Chrome
Configure OpenDNS as DNS provider.