Post by Tom Pearce on Jul 5, 2012 15:19:01 GMT -5
What is the DNS Changer Malware?
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
How Can I Protect Myself?
This page describes how you can determine if you are infected, and how you can clean infected machines. To check if you’re infected, Click Here. If you believe you are infected, here are instructions on how to clean your computer
How can you detect if your computer has been violated and infected with DNS Changer?
An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.
For example, the www.dns-ok.us/ will state if you are or are not infected (see below).
No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
No changes are performed on your computer! Nothing is changed on your computer when you use sites like www.dns-ok.us/.
No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.
If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).
The following table is a list of all easy “are you infected” sites. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.
URL Language Maintainer
www.dns-ok.us English DNS Changer Working Group (DCWG)
www.dns-ok.de German Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.dns-ok.fi Finnish, Swedish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.ax Swedish, Finnish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.be Dutch/French CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.
www.dns-ok.fr French Le CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.
www.dns-ok.ca English/French Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)
www.dns-ok.lu English CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg
www.dns-ok.nl Dutch SIDN (the Foundation for Internet Domain Registration in the Netherlands)
dns-ok.gov.au English CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information
dns-changer.eu German, Spanish, English ECO (Association of the German Internet Industry)
dnschanger.detect.my Malaysian, English Hosted by CyberSecurity Malaysia and MYCERT
dns-ok.jpcert.or.jp Japanese JPCERT/CC - Japan Computer Emergency Response Team Coordination Center
www.dns-ok.it Italiano Telecom Italia Security Operation Center - IT.TS.SOC
If you are not affected by DNS Changer then do nothing.
If the Check-Up Site indicates that you are affected then either follow the instructions on that site or go to the “FIX” page.
Manually Checking if your DNS server have been Changed
The following pages would help check to manually see if you have DNS Changer DNS servers configured on your computer. Use of the “check up” pages are more effective, but some would want to check manually.
Checking for DNS Changer on Windows XP
Checking for DNS Changer on Windows Vista (pending)
Checking Windows 7 for Infections
Checking OSX for Infections
Would my Service Provider Help Me?
Many service providers are notifying their customers. They are creating help pages that will help you detect and clean up DNS Changer from your system. Here is a partial list. Please contact your SP if you do not see them on the list.
ISP Page
AT&T AT&T DNS Changer information page for Home and Business Customers and 8 Suggestions for Mitigating and Preventing DNSChanger Malware in your Enterprise - What Can Help You Avoid Being a Victim
Bell Canada Important information about DNS Changer malware
CenturyLink CenturyLink DNSChanger Customer Notice
Comcast DNS Changer Bot FAQ
COX COX DnsChanger Malware Information
Shaw Communications Shaw Virus Protection
Telecom Italia Assistenza Tecnica per DNS Changer Malware
Time Warner Cable & RoadRunner Time Warner Cable & Roadrunner Website for DNS Changer Malware
Verizon Verizon's Virus Help Website for DNS Changer Malware
www.dcwg.org/detect/
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
How Can I Protect Myself?
This page describes how you can determine if you are infected, and how you can clean infected machines. To check if you’re infected, Click Here. If you believe you are infected, here are instructions on how to clean your computer
How can you detect if your computer has been violated and infected with DNS Changer?
An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.
For example, the www.dns-ok.us/ will state if you are or are not infected (see below).
No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
No changes are performed on your computer! Nothing is changed on your computer when you use sites like www.dns-ok.us/.
No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.
If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).
The following table is a list of all easy “are you infected” sites. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.
URL Language Maintainer
www.dns-ok.us English DNS Changer Working Group (DCWG)
www.dns-ok.de German Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.dns-ok.fi Finnish, Swedish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.ax Swedish, Finnish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.be Dutch/French CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.
www.dns-ok.fr French Le CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.
www.dns-ok.ca English/French Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)
www.dns-ok.lu English CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg
www.dns-ok.nl Dutch SIDN (the Foundation for Internet Domain Registration in the Netherlands)
dns-ok.gov.au English CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information
dns-changer.eu German, Spanish, English ECO (Association of the German Internet Industry)
dnschanger.detect.my Malaysian, English Hosted by CyberSecurity Malaysia and MYCERT
dns-ok.jpcert.or.jp Japanese JPCERT/CC - Japan Computer Emergency Response Team Coordination Center
www.dns-ok.it Italiano Telecom Italia Security Operation Center - IT.TS.SOC
If you are not affected by DNS Changer then do nothing.
If the Check-Up Site indicates that you are affected then either follow the instructions on that site or go to the “FIX” page.
Manually Checking if your DNS server have been Changed
The following pages would help check to manually see if you have DNS Changer DNS servers configured on your computer. Use of the “check up” pages are more effective, but some would want to check manually.
Checking for DNS Changer on Windows XP
Checking for DNS Changer on Windows Vista (pending)
Checking Windows 7 for Infections
Checking OSX for Infections
Would my Service Provider Help Me?
Many service providers are notifying their customers. They are creating help pages that will help you detect and clean up DNS Changer from your system. Here is a partial list. Please contact your SP if you do not see them on the list.
ISP Page
AT&T AT&T DNS Changer information page for Home and Business Customers and 8 Suggestions for Mitigating and Preventing DNSChanger Malware in your Enterprise - What Can Help You Avoid Being a Victim
Bell Canada Important information about DNS Changer malware
CenturyLink CenturyLink DNSChanger Customer Notice
Comcast DNS Changer Bot FAQ
COX COX DnsChanger Malware Information
Shaw Communications Shaw Virus Protection
Telecom Italia Assistenza Tecnica per DNS Changer Malware
Time Warner Cable & RoadRunner Time Warner Cable & Roadrunner Website for DNS Changer Malware
Verizon Verizon's Virus Help Website for DNS Changer Malware
www.dcwg.org/detect/