FBI Advises Internet Users To Test For DNSChanger

BabuK

BabuK

JF-Expert Member
Jul 30, 2008
1,845
329

tech-042212-001a-617x416.jpg


The US Federal Bureau of Investigation (FBI) has issued another warning to computer owners to check their desktops and laptops for a piece of malware that could cause them to lose Internet access in a few months if the problem is not addressed.
According to the Daily Mail, the DNSChanger malware is the result of an advertising scam launched by hackers last year, and many people still have the program on their computers without even realizing it. The FBI set up a system several months ago which used government computers to prevent disruptions for those with infected hardware, but that system is soon to be phased out.
On Saturday, PCMag‘s Damon Poeter wrote that the bureau believes that as many as half a million computers are still infected with DNSChanger, and they could lose their Internet connection by July 9 due to the shutdown of the FBI’s workaround system. They are encouraging users to visit the DCWG website and follow the onscreen instructions to determine whether or not their computers are infected, and how to remove the Trojan if it is, in fact, on their system.
Last November, the FBI joined with other law enforcement officials to break up the hacking ring behind the Internet ad scam and the DNSChanger Trojan, according to Lolita C. Baldor of the Associated Press (AP). Poeter said that they seized approximately 100 servers in that bust, and arrested six individuals in Estonia connected with the malware.
“We started to realize that we might have a little bit of a problem on our hands because … if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service,” Tom Grasso, an FBI supervisory special agent, told Baldor. “The average user would open up Internet Explorer and get ‘page not found’ and think the Internet is broken.”
He added that, due to the forthcoming shutdown of the workaround program, the agency was entering “full court press” mode to try and get people to test their Windows and Mac computers, before it’s too late.
Statistics printed by the Daily Mail say that the FBI believed that at least 568,000 unique Internet addresses were using those servers on the day of the arrest. As of now, they believe that there are still as many as 360,000 computers infected, with 85,000 of them residing in the US and more than 20,000 each in Italy, India, Germany and the UK. Most of them are believed to be home-based computers.


Source: RedOrbit Staff & Wire Reports

 
[h=3]Checking Windows 7 for Infections[/h]The easiest way to check if your system is violated with DNS Changer malware is to go to one of the “are you infected sites” (see below). These sites only require someone to visit. The “are you infected site” will inform you if you are infected.
Note: These sites only detect for DNS Changer. You might be infected with other malware. Please take appropriate precautions to protect your computer.

URLLanguageMaintainer
www.dns-ok.usEnglishDNS Changer Working Group (DCWG)
www.dns-ok.deGermanBundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.dns-ok.fiFinnish, Swedish, EnglishCERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.axSwedish, Finnish, EnglishCERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.beDutch/FrenchCERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.
www.dns-ok.frFrenchLe CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.
www.dns-ok.caEnglish/FrenchCanadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)
www.dns-ok.luEnglishCIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg
www.dns-ok.nlDutchSIDN (the Foundation for Internet Domain Registration in the Netherlands)
dns-ok.gov.auEnglishCERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information
dns-changer.euGerman, Spanish, EnglishECO (Association of the German Internet Industry)

[h=3]Manually Checking for DNS Changer Infections[/h]The following are the original manual checks to see if you computer is infected with any of the DNS Changer malware.
To check if your Windows 7 machine is infected, first click the “Start” icon.





This opens the Windows Menu. Click on the “Search” field at the bottom.





Type in cmd, and hit enter.






This opens a DOS shell. In the DOS shell, type in the command:
ipconfig /allcompartments /all
and hit enter. (Windows users might be used to just typing “ipconfig /all“. This also works, but might not list all the routing compartments if you have a VPN setup in Windows7.)


The output will be very long, since Windows7 by default has support for IPv6. Most likely, you want to look for the IPv4 information under the section entitled “Ethernet adapter…”. Look for the “DNS Servers” line, and write down these numbers. There may be two IP addresses listed there.
[h=3][/h][h=3][/h][h=3][/h][h=3]Are Your DNS Settings OK?[/h]The malicious Rove viruses changed some peoples DNS settings to use computers they operated. Compare your DNS settings with the known malicious Rove DNS settings listed below:

Starting IPEnding IPCIDR
85.255.112.085.255.127.25585.255.112.0/20
67.210.0.067.210.15.25567.210.0.0/20
93.188.160.093.188.167.25593.188.160.0/21
77.67.83.077.67.83.25577.67.83.0/24
213.109.64.0213.109.79.255213.109.64.0/20
64.28.176.064.28.191.25564.28.176.0/20

[h=3]What if I’m infected?[/h]If you computer is infected, please refer to our page that list tools to clean DNS Changer and other self help guides to clean your computer – Fix | DCWG
 
You must log in or register to reply here.

Similar Discussions

Back
Top Bottom
Forums
New posts
Post thread
Back