DNSChanger

sumitbaran

Regular
[OP]
Regulars
Jul 3, 2008
111
0
Kolkata
Come March 8, the Internet could stop working for millions of users because of a virus, DNS Changer, which has corrupted millions of computers in more than 100 countries.
Though the US Federal Bureau of Investigation (FBI) has shut down the rogue DNSChanger network and put up surrogate servers following a US court order, it has the mandate to run the temporary network only till March 8. Unless the FBI obtains a fresh order, the network will be turned off, resulting in millions of computers worldwide no longer having Internet access.
[FONT=&amp]In November 2011, six Estonian nationals were arrested for running a sophisticated Internet fraud ring that infected millions of computers worldwide with the DNS Changer which enabled them manipulate the multibillion dollar Internet advertising industry. This virus also made computers vulnerable to a host of other viruses. The criminals are said to have siphoned off $14 million, but the amount could be much larger because banks are typically reluctant to reveal how much they have lost. The two-year FBI investigation was code-named Operation Ghost Click.
[/FONT] What is DNS? DNS stands for Domain Name System. It is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. DNS and DNS Servers are a critical component of your computer’s operating environment. Without them, you would not be able to access websites, send e-mails or use any other Internet service.
When you enter a domain name, such as www.abc.com, in your web browser’s address bar, your computer contacts DNS servers to determine the site’s IP address. Your computer then uses this IP address to connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.
What is DNSChanger? A small file about 1.5 kilobytes, DNSChanger is a Trojan that changes the infected system’s DNS settings, in order to divert traffic to unsolicited and potentially illegal sites. This Trojan is designed to change the “NameServer” Registry key value to a custom IP address, which is usually encrypted in the body of the Trojan. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or interfere with that user’s online web browsing.
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS settings with rogue DNS IP addresses operated by the criminal. Second, it attempts to access devices on the victim’s office or home network that run a dynamic host configuration protocol (DHCP) server (for example, a router). The malware attempts to access your router using common default user names and passwords. This is usually “admin” and “admin” respectively. It converts the genuine DNS settings these devices use to rogue DNS settings operated by the criminals. This is a change that impacts all computers on the corporate network, even if individual computers are not infected.
[FONT=&amp]One consequence of the FBI disabling the rogue DNS network is that victims who unknowingly access the Internet through rogue servers could lose access to the Internet altogether. So the FBI got a court order allowing them to replace the rogue servers with legitimate stand-ins. The FBI was told to educate the public and Internet Service Providers about the DNSChanger malware.
[/FONT][FONT=&amp]If your ISP’s DNS server is infected, you, too, will be affected. How do you know if your computer is infected? It is best to have it evaluated by a professional. You can also check it yourself in Windows 7 by going to the Start menu, typing Run and then cmd. At the command prompt, enter: ipconfig /all. Look for the entry that reads “DNS Servers……….”
[/FONT] [FONT=&amp]The DNS numbers are in the format of nnn.nnn.nnn.nnn, where nnn is a number from 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the table of known rogue DNS servers.[/FONT] [FONT=&amp]If you are using a Mac, click on the Apple symbol in the top left corner and choose System Preferences, then Network and click on the Advanced button. Choose the DNS tab on top to show the DNS servers you are using.
[/FONT] [FONT=&amp]There is a special website to check if your ISP’s DNS requests are made to the right places: http://www.dns-ok.de. This site will tell you if you are affected by the DNS Changer malware or not. [/FONT] [FONT=&amp]What will happen after March 8? According to the FBI, it will shut down the surrogate DNS servers over a period of four months, affecting millions of users who are still using rogue DNS addresses. If your PC is infected by rouge DNS, you can use Avira DNSRepair tool. Download it from: www. avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe. [/FONT] [FONT=&amp]Mac users just make sure you are using the correct DNS. And check your computer thoroughly for other malware.
[/FONT]
Source: http://www.telegraphindia.com/1120305/jsp/knowhow/index.jsp
[FONT=&amp]Thanks Surit Doss.[/FONT]
 

mehrotra.akash

Regular
Regulars
May 17, 2008
915
6
If someone didnt notice their DNS had been changed for 4 months, maybe cutting off access is the best way to alert them
 

acc1444

Regular
Regulars
Aug 2, 2008
970
37
If someone didnt notice their DNS had been changed for 4 months, maybe cutting off access is the best way to alert them
Yeah. He calls to ISP to find why his connectivity is down. At that time, ISP can tell about DNS changer malware.
Good idea to gain attention.

However, March 8 is changed to July 9. Now, July 9 internet will go down.


Here, you can remove, Detect | DCWG
Please post DNS if anybody is infected with DNS changer tool. About solution, according to FBI, website is not working on infected system. Infected system doesn't allow user to open website and to solve infected malware. At this point, there is no 100% solution is found to deal with this trouble.

For details about DNS changer malware, visit DNSChanger Malware

- - - Updated - - -

I think this claim by Kaspersky is right.
http://www.tomshardware.com/news/apple-microsoft-security-malware-virus,15462.html

Check 1 in 5 Mac has malware
http://mashable.com/2012/04/24/1-in-5-macs-has-malware-study/
 

Sushubh

Administrator
Oct 29, 2004
418,502
13,022
Gurugram
Google Search would show the message to infected users. CloudFlare is offering a plugin that let website owners to show a similar message. It is enabled on forum. So, if you are infected, you would be getting the message right here on the forum as well.
 


acc1444

Regular
Regulars
Aug 2, 2008
970
37
Google Search would show the message to infected users. CloudFlare is offering a plugin that let website owners to show a similar message. It is enabled on forum. So, if you are infected, you would be getting the message right here on the forum as well.
Haven't official found any DNS system associated to infected computers?
I think if they have found DNSs, work will be easier to deal with this problem by taking those DNS system down.
Have you received any updates about DNS servers, yet from any user or from anywhere ????
 

bajechele

Regulars
Mar 13, 2008
759
28
India
London, July 5 (IANS) Internet users across the world have been warned by the Federal Bureau of Investigation (FBI) that if they have the "Alureon/DNS Changer bot" virus on their computers, they will lose their internet connections July 9.The virus "spoofs" popular websites in an attempt to steal personal information, the Daily Mail reported.The software found its way into thousands of computers worldwide last year. It redirect users away from trusted websites, towards spoof websites in a bid to steal financial and personal information.When the attack was noticed, the FBI routed infected machines through its server to stop the attacks.But the servers will be taken down July 9. When this happens, computers still infected are likely to lose their internet connection without warning.Warnings about the problem have been splashed across Facebook and Google, and the FBI has set up a special website.The number of computers infected is more than 277,000 worldwide. The number was 360,000 in April. Of those still infected, the FBI believes that about 64,000 are in the US.Users still infected will have to call their service providers for deleting the malware and reconnecting to the internet.Last year, when international hackers ran an online advertising scam to take control of more than 570,000 infected computers around the world, the FBI agents realised that if they turned off the malicious servers being used to control the computers, all the victims would lose their internet service.The FBI then installed two clean internet servers to take over instead of the malicious servers so that people would not suddenly lose internet.But that temporary system will be shut down July 9.
 

amar

Senior
Nov 9, 2010
1,942
469
Pune
Malicious software Alureon that redirects web surfers’ way from trusted websites to spoof websites, is now threatening to blackout over a quarter-million computers from the Internet on Monday (July 9).

Computers inflicted with the Alureon virus will lose their ability to go online at 4.01 GMT (9.31 am IST) on Monday, and would be able to reconnect only after the malware is deleted – a task that would require the help of the Internet service provider.

The viruses were designed to redirect Internet traffic through rogue DNS servers controlled by criminals. DNS servers are computer switchboards that direct Web traffic.

This dangerous software found its way onto hundreds of thousands of computers worldwide late last year. It was designed to re-direct you away from trusted websites, towards spoof websites in a bid to steal financial and personal information.

Also, Alureon Malware was at the heart of a hacking scam in the US in 2011. As of this week, about 245,000 computers worldwide were still infected by Alureon and its brethren.

While the rogue servers were taken down, a US court had ordered that temporary servers be kept in place while the victims' machines were repaired. The temporary servers will shut down at 4.01 GMT (9.31 am IST) on Monday – implying, infected PCs that have not been fixed will no longer be able to connect to the Internet.

The problem gets accentuated as most victims are unaware that their computers have been infected. The malicious software probably would have slowed their surfing speed and disabled their antivirus software, but remained unknown.

However, the good news is that it is easy to fix. Information on how to identify and clean up infections can be found on a website that a group of security firms and other experts set up: DCWG | DNS Changer Working Group.

Experts consider Auleron as a small threat when compared with more-prevalent viruses such as Zeus and SpyEye, which infect millions of PCs and are used to commit financial fraud.

Alureon virus: Internet blackout on Monday?