Search My Blog

Thursday, July 5, 2012

DNS Changer Malware - What to do if your PC loses Internet access on Monday (07-09-12)

What to do if your PC loses Internet access on Monday (07-09-12) Due to the FBI Shutting Down the Temporary Servers for the DNS Changer Malware. Malware may knock 64,000 Americans off Internet on Monday...

Don

DCWG | DNS Changer Working Group

Detect

Find out if you have been violated and infected with DNS Changer. No software will be downloaded to perform the check.

Fix

If you think you are infected, please follow take action to fix your computer now.

What is the DNS Changer Malware?

On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.

What does the DNS Changer Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

How Can I Protect Myself?

This page describes how you can determine if you are infected, and how you can clean infected machines. To check if you’re infected, Click Here. If you believe you are infected, here are instructions on how to clean your computer.

How can you detect if your computer has been violated and infected with DNS Changer?

An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.

For example, the http://www.dns-ok.us/ will state if you are or are not infected (see below).

No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
No changes are performed on your computer! Nothing is changed on your computer when you use sites like http://www.dns-ok.us/.
No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.

If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).
The following table is a list of all easy “are you infected” sites. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.

Read More...
http://www.dcwg.org/detect/

DNSChanger Malware

DNS (Domain Name System) is an Internet service that converts user-friendly domain
names into the numerical Internet protocol (IP) addresses that computers use to talk to
each other. When you enter a domain name, such as www.fbi.gov, in your web browser
address bar, your computer contacts DNS servers to determine the IP address for the
website. Your computer then uses this IP address to locate and connect to the website. DNS
servers are operated by your Internet service provider (ISP) and are included in your
computer’s network configuration. DNS and DNS Servers are a critical component of your
computer’s operating environment—without them, you would not be able to access
websites, send e-mail, or use any other Internet services.
Criminals have learned that if they can control a user’s DNS servers, they can control what
sites the user connects to on the Internet. By controlling DNS, a criminal can get an
unsuspecting user to connect to a fraudulent website or to interfere with that user’s online
web browsing. One way criminals do this is by infecting computers with a class of malicious
software (malware) called DNSChanger. In this scenario, the criminal uses the malware to
change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS
servers operated by the criminal. A bad DNS server operated by a criminal is referred to as
a rogue DNS server.

The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it.
The FBI is also undertaking an effort to identify and notify victims who have been impacted
by the DNSChanger malware. One consequence of disabling the rogue DNS network is that
victims who rely on the rogue DNS network for DNS service could lose access to DNS
services. To address this, the FBI has worked with private sector technical experts to
develop a plan for a private-sector, non-government entity to operate and maintain clean
DNS servers for the infected victims. The FBI has also provided information to ISPs that can
be used to redirect their users from the rogue DNS servers to the ISPs’ own legitimate
servers. The FBI will support the operation of the clean DNS servers for four months,
allowing time for users, businesses, and other entities to identify and fix infected
computers. At no time will the FBI have access to any data concerning the Internet activity
of the victims.

It is quite possible that computers infected with this malware may also be infected with
other malware. The establishment of these clean DNS servers does not guarantee that the
computers are safe from other malware. The main intent is to ensure users do not lose DNS
services.

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.
First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers
with rogue DNS servers operated by the criminal. Second, it attempts to access devices on
the victim’s small office/home office (SOHO) network that run a dynamic host configuration
protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access
these devices using common default usernames and passwords and, if successful, changes
the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers
operated by the criminals. This is a change that may impact all computers on the SOHO
network, even if those computers are not infected with the malware.
Am I Infected?

The best way to determine if your computer or SOHO router has been affected by
DNSChanger is to have them evaluated by a computer professional. However, the following
steps can help you gather information before consulting a computer professional.
To determine if a computer is using rogue DNS servers, it is necessary to check the DNS
server settings on the computer. If the computer is connected to a wireless access point or
router, the settings on those devices should be checked as well.
Checking the Computer:

If you are using a Windows computer, open a command prompt. This can be done by
selecting Run from the Start Menu and entering cmd.exe or starting the command prompt
application, typically located in the Accessories folder within Programs on your Start Menu,
as shown below:

Read More - (Download the PDF file)...
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf