DNS Changer News

[harrybarracuda]

FBI Shuts Down DNSChanger Servers

• By Chloe Albanesius
• July 9, 2012 10:47am EST

As expected, the FBI today shut down the DNSChanger servers, potentially cutting off Internet access to those with infected PCs.
Despite the hysteria, however, security firm F-Secure said things appear to be under control, thanks to ISP intervention.
"Many global operators are keeping their ‪#DNSChanger‬ victims online, even after FBI stopped. We do not expect much noise about this today," F-Secure's Mikko Hypponen tweeted today.
On the F-Secure blog, the company said that "all in all, things are working out as they probably should in a case such as this. The infection count continues to decrease without a major crisis in support calls. (We've only received a couple from our own customers.)"
F-Secure pointed to weekend data, which showed that DNSChanger was still present on about 47,000 computers in the U.S., down from about 70,000 last week. That was followed by Italy with 21,500 and about 20,000 in India.
As noted by the BBC, South Korea was one of the first countries that would have been hit by the DNSChanger shutdown, but the country's Communications Commission chief said the "impact will be limited."
The problem dates back to November 2011, when the FBI seized about 100 servers that were infecting millions of computers with the DNSChanger Trojan. Infected machines had their Domain Name System (DNS) settings altered so websites would redirect to servers controlled by the criminals. The scammers reportedly earned millions in affiliate and referral fees by diverting users through those sites.
The FBI wanted to shut down the rogue servers, but if they did, infected computers would have lost access to the Internet immediately. So, the FBI got a court order to continue running the servers while people applied a patch. That court order was originally scheduled to expire on March 8, but was later extended to July 9. If infected machines were not fixed by this morning, their Internet connections went dark.
If you are infected with DNSChanger, PCMag's Fahmida Rashid suggested that the average computer user seek the help of a computer professional to help with cleanup. For those who want to pursue the fix on their own, however, the DNS Changer Working Group has some suggestions for how to troubleshoot.
For more, see How to Find, Remove DNSChanger From Your Router.

[harrybarracuda]

This applies to Mac and PC, so go to one of these sites and see if you're infected:

Checking OSX (MAC) for Infections

The easiest way to check if your system is violated with DNS Changer malware is to go to one of the “are you infected sites” (see below). These sites only require someone to visit. The “are you infected site” will inform you if you are infected.
Note: These sites only detect for DNS Changer. You might be infected with other malware. Please take appropriate precautions to protect your computer.
URL Language Maintainer
www.dns-ok.us English DNS Changer Working Group (DCWG)
www.dns-ok.de German
Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI) www.dns-ok.fi Finnish, Swedish, English
CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.ax Swedish, Finnish, English
CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.be Dutch/French
CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.
www.dns-ok.fr French
Le CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.
www.dns-ok.ca English/French Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC) www.dns-ok.lu English
CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg
www.dns-ok.nl Dutch
SIDN (the Foundation for Internet Domain Registration in the Netherlands)
dns-ok.gov.au English
CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information dns-changer.eu German, Spanish, English
ECO (Association of the German Internet Industry) dnschanger.detect.my Malaysian, English Hosted by CyberSecurity Malaysia and MYCERT
dns-ok.jpcert.or.jp Japanese JPCERT/CC - Japan Computer Emergency Response Team Coordination Center
www.dns-ok.it Italiano Telecom Italia Security Operation Center - IT.TS.SOC

[harrybarracuda]

Last chance to remove DNSChanger virus before web outage


Thousands could lose internet access when FBI cuts off temporary servers

CBC News

Posted: Jul 6, 2012 4:46 PM ET

Last Updated: Jul 6, 2012 6:03 PM ET

Read 129 comments129

Anyone who hasn't removed the DNSChanger virus from their computer as of July 9 will lose internet access when the FBI shuts down the temporary servers it set up to keep victims of the virus connected to the web. (iStock)

The FBI is snipping a cyber safety net on Monday that kept thousands of computer users online after their internet connections were hijacked by a piece of malware called DNSChanger, meaning those users could be disconnected from the web if they still haven't removed the virus by July 9.
The good news is if you're among the 7,000 Canadian PC or Mac users — or the tens of thousands more worldwide —still believed to have machines infected with the nasty DNSChanger virus, you can spare yourself the misery of being cut off from email, Twitter, Facebook and other online distractions by performing a simple test.
Google, Facebook and the FBI have all issued repeated alerts over the past year about the estimated 650,000 computers worldwide that fell victim to the DNSChanger trojan, but they and media outlets made one last public appeal this week warning of the looming July 9 deadline.
That's when the FBI will shut down the temporary DNS servers it set up to keep the virus-infected computers connected to the internet after it broke up a criminal operation that had rerouted the machines through a system of false DNS servers, manipulating users' web searches in order to direct them to fraudulent websites.
The websites promoted fake products and allowed the cybercriminals to earn money off the sale of these products and advertising.
The temporary servers, operated by the non-profit Internet Systems Consortium, were meant to keep people connected to the web until the virus was removed and the connection through their usual internet service provider was resumed.
How to check for virus

Double-checking for the malware only takes a minute. Here's how to do it:
The Canadian Internet Registration Authority (CIRA) has done much of the legwork for you by setting up an online screening system for your computer.
Visit the website www.dns-ok.ca/ and click on a link agreeing to run your computer through the DNSChanger malware checker. The page should refresh and show you either a green or red banner, with a message stating whether DNSChanger has been detected.
If it's green, you're in the clear. If the banner is red and a message confirms the virus has been detected, you can go to one of several websites set up to help inform the public about the virus and the related FBI operation for further instructions on how to remove it:

• FBI
• DNSChanger Working Group
• Public Safety Canada

Identifying malicious IP addresses

Another way to screen for DNSChanger is to manually check and compare your computer's DNS settings to the known malicious DNS server IP addresses listed on the FBI or Public Safety Canada websites.
According to those sites, if your IP address falls within one of the following groups, your computer is infected with the virus:

• 85.255.112.0 through 85.255.127.25
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

To find your DNS settings, Public Safety Canada recommends the following steps.
For Windows users:

• Go to Start menu.
• Select Run...
• Type: cmd.exe [press ENTER].
• Type in the black command window: ipconfig /all [press ENTER].
• Search for the line that says "DNS Servers." Often, two or three IP addresses are listed.
• Compare against list of rogue IP addresses.

For Apple users:

• Go to System Preferences.
• Select Network.
• Select the connection used for internet access (typically. AirPort or ethernet).
• Select Advanced.
• Select the DNS tab.
• Compare against list of rogue IP addresses.

What to do if your computer is infected

It's always advisable to consult a reputable computer professional for help before taking any drastic steps to repair a machine infected with a computer virus.
Several DNSChanger removal tools have been made available for download online. Free virus scan and removal software can be downloaded at www.dcwg.org/fix/.
Another, more extreme course of action is to back up important data on your computer and then wipe the hard drive clean and reformat it.
But if you choose this route, keep in mind that if you don't back up your files to a separate drive, you'll lose them, because reformatting cleans out all the files on a drive. You'll also need to reinstall your operating system and applications after reformatting.

[Carrabow]

Good info Harry, better getting that then our resident guru's solution

[Sailing into trouble]

Cheers Harry.

I'm good to go!

[harrybarracuda]

If you test against one of those servers (naturally I did the English one) and you get a green, you're OK.

But update your AV software anyway while you think of it!

[Carrabow]

If you test against one of those servers (naturally I did the English one) and you get a green, you're OK.

But update your AV software anyway while you think of it!

BF told me.. If wish apon a twink; does not matter what you think

[Mid]

Hi Harry ,

Currently I can access TD but not Google .

from the

A) Windows:

1. Go to start menu
   
2. Select Run...
   
3. Type : cmd.exe [press ENTER]
   
4. Type in the black command window: ipconfig /all [press ENTER]

Search for the line written: "DNS Servers". Often, 2 or 3 IP addresses are identified.



my DNS servers show as fec:0:0:0:ffff::1%4


problem here ?

[harrybarracuda]

Yes, that's a problem.

How are you connected? Wifi to a Router? Or wired?

And what version of Windows?

In your Command window try:

IPCONFIG /FLUSHDNS
IPCONFIG /RELEASE
IPCONFIG /RENEW

Then do the IPCONFIG /ALL again and what do you see?

Ideally you want DHCP enabled.

[Mid]

windows xp sp 3

wired to a d-link DSL-504T

what is the numbers to access the router I forget ?

[harrybarracuda]

Well the first thing is to set your PC to get its DNS and IP address from the Router (i.e. set it to use DHCP).

Do you know how to do that?

Then the Router address will be the gateway you see on the IPCONFIG /ALL output. Hope you remember the login credentials.

[Mid]

info deleted

[Mid]

weird ,

I can access TD / hotmail / and newsnow amongst others and access google via a proxy BUT no direct access to google

[harrybarracuda]

It looks like your router (gateway) is 10.1.1.1 and that's fine as a DNS server because it should do the DNS lookups for you.

You need to find what is modifying your DNS settings on your PC.

Without more detailed information, a full scan with your A/V, and maybe also with AdWare and also SpyBot Search & Destroy might be a good idea.

[lom]

info deleted

I saw it..

Is there any reason why you have enabled IPv6 for your computer, do you have any Win7 machines on your LAN?

If not, then remove it from your ethernet adapter settings under Network Properties, all those long IP addresses and the Toredo tunneling adapter comes from IPv6.

Your DNS server pointed to the router which usually is the DNS server for LAN, it will do DNS resolution for all LAN clients.
The router itself will use your ISP's DNS server when it can't solve the DNS request by itself and your problem reaching google is likely an ISP DNS server problem.

The router will get the address of the ISP's DNS server automatically but there is usually options in the router for adding additional DNS servers.
I do for instance use Google DNS servers in combination with OpenDNS servers as additional servers and have even set them up so they have precedence over my ISP's DNS server.

[Mid]

Is there any reason why you have enabled IPv6 for your computer, do you have any Win7 machines on your LAN?

torrents and yes .

looks like you may be on to something 'cause I've only enable IPv6 recently and that may be the start of Google disappearing ?

question is how to disable as the enabling was done by uTorrent and bittorrent through the programs options .

[Mid]

If not, then remove it from your ethernet adapter settings under Network Properties, all those long IP addresses and the Toredo tunneling adapter comes from IPv6.

right then that's that question answered

[harrybarracuda]

I have IPv6 sat there enabled and doing nothing and it doesn't muck with my DNS settings. Unless uTorrent or Bittorrent changed something else. Mind you I'm not using DHCP.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : <hidden>
Physical Address. . . . . . . . . : <hidden>
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d074:ea56:2155:a247%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.6.1.96(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.6.1.1
DHCPv6 IAID . . . . . . . . . . . : 240974301
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-64-5F-DE-5C-F9-DD-3E-25

DNS Servers . . . . . . . . . . . : 10.1.1.202
10.1.1.204
NetBIOS over Tcpip. . . . . . . . : Enabled

I forgot to say, you do know you can cut and paste from a COMMAND window, don't you?

[Mid]

Thanxs Lom and Harry

Removing IPv6 has solved the problem and google is back .

[Mid]

I forgot to say, you do know you can cut and paste from a COMMAND window, don't you?

with mouse commands ?

[harrybarracuda]

^ Sort of. In the top left corner, click and select "Edit, Mark".

Then highlight the rectangle you want and click "Edit, Copy".

It's a hangover from DOS, remember?