Author Topic: Internet service to be cut July 9 (Read 15549 times)

SuperDave · « **on:** July 04, 2012, 05:22:59 PM »

Thousands could loose internet service July 9. Full story here.

Helpmeh · « **Reply #1 on:** July 04, 2012, 09:57:03 PM »

The title is a little misleading...it's only for those who were infected with the virus, and didn't clean it up properly.

overthehill · « **Reply #2 on:** July 04, 2012, 10:46:40 PM »

Quote from: Helpmeh on July 04, 2012, 09:57:03 PM

The title is a little misleading...it's only for those who were infected with the virus, and didn't clean it up properly.

This is taken from the link provided; Since November 2011, the number of computers still infected with DNSChanger has dropped substantially to 275,000 worldwide. In Canada, only about 7,000 machines are estimated to remain infected, as a result of efforts by the FBI and computer security companies to get users to follow instructions on how to check http://www.dns-ok.ca/ for and remove http://www.dcwg.org/fix/ the virus.

So, if I'm free of infection at http://www.dns-ok.ca/ are there any other precautions that should be taken? Reading all the comments associated with this topic, almost made me dizzy. overthehill

evilfantasy · « **Reply #3 on:** July 05, 2012, 12:56:13 PM »

I just got this in a news feed last night. First I had heard of it.

Quote from: overthehill on July 04, 2012, 10:46:40 PM

So, if I'm free of infection at http://www.dns-ok.ca/ are there any other precautions that should be taken?

If you visit the test site and it says you are clean then you should be fine. Google and Facebook have also been alerting users that may be infected when visiting their websites.

Although if you visit Computer Hope regularly then you are probably fine. Most of the regulars are above average users and know when something is wrong with our computers.

overthehill · « **Reply #4 on:** July 05, 2012, 05:47:29 PM »

Quote from: evilfantasy on July 05, 2012, 12:56:13 PM

I just got this in a news feed last night. First I had heard of it.

If you visit the test site and it says you are clean then you should be fine. Google and Facebook have also been alerting users that may be infected when visiting their websites.

Although if you visit Computer Hope regularly then you are probably fine. Most of the regulars are above average users and know when something is wrong with our computers.

Thanks evilfantasy. That's what I expected and wanted to hear. I in fact wasn't that worried about me personally. Many of my contacts though; kids, relatives and friends etc. do not visit CH regularly and are not very proficient protecting themselves when it comes to the Internet etc. And, believe me it is not for my lack of trying. I'll certainly advise them though to visit the site to check for infection. Once again thanks, overthehill

Geek-9pm · « **Reply #5 on:** July 05, 2012, 08:10:53 PM »

It is simple to check your DNS
http://www.computerhope.com/forum/index.php/topic,131866.msg852949.html#msg852949

Dr Jay · « **Reply #6 on:** July 06, 2012, 11:01:07 AM »

Quote from: evilfantasy on July 05, 2012, 12:56:13 PM

I just got this in a news feed last night. First I had heard of it.

If you visit the test site and it says you are clean then you should be fine. Google and Facebook have also been alerting users that may be infected when visiting their websites.

Although if you visit Computer Hope regularly then you are probably fine. Most of the regulars are above average users and know when something is wrong with our computers.

That is fine to check with DNS-OK, but never assume it is effective enough. See the manual check just in case: http://www.dcwg.org/detect/#Manually_Checking_if_your_DNS_server_have_been_Changed

Ryuk · « **Reply #7 on:** July 06, 2012, 06:32:28 PM »

I never got any message from Facebook or anything. Will this all so effect hand help devices?

Geek-9pm · « **Reply #8 on:** July 06, 2012, 06:54:21 PM »

Ryuk,

This is about the possible loss of service to many users who have the 'DNS changer' virus on their computers. Many people do not know they got the virus because the authorities turned the tables on the vandals.

The problem is really an old problem. It will have an effect on people who have not verified the DNS settings on their computers.

The DNS depends on where you live. You would want a service near you for best results. But the issue is to make sure it is a valid service.

Ryuk · « **Reply #9 on:** July 06, 2012, 07:00:48 PM »

I am aware of this just recently. So it wont effect things like phones an everything?

Geek-9pm · « **Reply #10 on:** July 06, 2012, 07:48:44 PM »

They are saying it is found only in PCs.
The threat is being over-hyped.
Here is just one of many 'Look-the-sky-is-falling' stories.
There Is No Excuse for Still Being Infected with DNSChanger
(He is one of the few who down plays the scare.)

Quote

By Tony Bradley, PCWorld
The FBI estimates that as many as 275,000 PCs are still at risk of losing access to the Web on Monday when it pulls the plug on the DNS servers it has maintained to redirect PCs compromised with the DNSChanger malware to legitimate websites. Seriously? How much warning do people need?...

So far nobody has wid it will be the end of the world...

Dr Jay · « **Reply #11 on:** July 07, 2012, 02:03:30 AM »

Quote from: Geek-9pm on July 06, 2012, 06:54:21 PM

The problem is really an old problem. It will have an effect on people who have not verified the DNS settings on their computers.

The DNS depends on where you live. You would want a service near you for best results. But the issue is to make sure it is a valid service.

Who've not verified their DNS? More like for those that have not FIXED their DNS!

DNS depends on what ISP you have, or if you have changed it yourself. If viruses/malware have changed your DNS, it is your own problem not the ISP's problem. If you have elected to use Google DNS or OpenDNS, it is your business.

Therefore, for those infected with the rogue servers are considered zombies, in which will be deactivated of Internet access as of Monday! This is the attempt to stop the DNSChanger cybercriminals, to help track down and investigate them.

Whomever is keeping the DNSChanger botnet alive is being tracked down.

Geek-9pm · « **Reply #12 on:** July 07, 2012, 10:12:25 AM »

DragonMaster Jay,
For more about the Changer, do a Google.
Here is a good one:
http://www.pcmag.com/article2/0,2817,2406806,00.asp
That author says it can be in your router. Therefore the user wound NOT be be aware. Few ever look into the router settings to see if the router is doing an override of DNS requests.

Some routers allow remote access. In that case, a clever criminal could alter your router to hijack all DNS requests to another site.

I am not trying to scare people. I just want to point out the DNS Changer is more evil that you imagine.

Dr Jay · « **Reply #13 on:** July 07, 2012, 10:20:06 AM »

Yes, without being too specific, it usually causes router infections.

We have canned speeches that help remove these router infections. It was discovered over a year and a half ago.

Believe me, I've seen more evil malware than DNSChanger. It does not scare me.

Quote

Your router has been hacked by a malware author...aka hacker.

It has placed illegitimate DNS addresses in to the DNS servers boxes, making websites you go to check with these fake addresses first.

If the hacker chooses to do so, you will be redirected. I have to conclude that your router configuration has been hacked.

Routers can be hacked from inside the network, which means if there is malware on your computer, it can trace itself back to your router, log in to your router, and change settings.

These IP addresses:
-Static DNS 1: 213.109.64.7
-Static DNS 2: 213.109.72.139

are Russian IP addresses from a company called ProLite LTD. They have been the core issue of hacked routers on the Internet for a few months now.

What we need to do is a 30/30/30 reset for the router. It is a type of reset that will return it to firmware defaults....in other words...remove the malicious code from it and restores its original configuration.

You will need a paper clip, or something as small as a paper clip head (like a safety pin or needle).

While doing this, it may be appropriate to have someone help you, or be near the plug in for the router.

On the back of the router, there will be a reset button...use the pin/needle to hold down the reset button for 30 seconds...while you have the button held down unplug the router from the outlet...continue holding reset button for 30 seconds...plug the router back in and continue holding reset button for 30 more seconds. After that, release the reset button.

You router should recognize most types of configuration and you should be able to use it right away.

Re-set up your router as you did when you first got it. I know it is a time-based task, however, to defeat this infection, the router needs to be fully reset.

If you have done this all successfully, let me know. Test out the Internet and tell me of any redirects.

If you have any issues reconnecting the router, or getting it to work on your network, then do the following:

unplug the (usually yellow) Internet cable that is run from the modem to the router, and plug that cable directly in to your computer. You should be able to access the Internet from that temporarily so you can communicate with me.

Let me know how you got through all of this.

So far, from other hacked routers, they have been successfully reset, and the infection disappeared.

Computer_Commando · « **Reply #14 on:** July 07, 2012, 01:32:54 PM »

About 6 months ahead of time.

evilfantasy · « **Reply #15 on:** July 07, 2012, 03:18:08 PM »

Quote from: DragonMaster Jay on July 07, 2012, 02:03:30 AM

Whomever is keeping the DNSChanger botnet alive is being tracked down.

The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.

Quote from: fbi.gov

Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

http://www.fbi.gov/news/stories/2011/november/malware_110911

Computer_Commando · « **Reply #16 on:** July 07, 2012, 05:19:32 PM »

Check your computer here: http://www.dns-ok.us/

overthehill · « **Reply #17 on:** July 07, 2012, 07:24:57 PM »

I'd just like to say a big THANKS to the "Pros" here at CH that were willing to share their expertise with those of us that are less informed. To some, this DNS Changer is a bid deal. Now whether or not this ends up being another Y2K scare or not, we'll see. Nevertheless I'd just like to once again, say thanks for your help. overthehill

Geek-9pm · « **Reply #18 on:** July 07, 2012, 09:02:06 PM »

Quote from: Computer_Commando on July 07, 2012, 05:19:32 PM

Check your computer here: http://www.dns-ok.us/

Works for me. Recommended.

BC_Programmer · « **Reply #19 on:** July 07, 2012, 09:55:44 PM »

I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that. One could argue that maliciously intentioned settings are as much an infection as maliciously intentioned executable code, but malicious settings can never do nearly as much damage as malicous code, since it's still confined to the capabilities of the program that uses those settings. Those settings can open holes to new infections, of course, and are certainly (as in this case) dangerous. In this case, the computer gets infected, the malware changes the hosts file and/or manages to push changes to the router, and goes on. The infection itself is only the executable trojan horse; remove that, and the infection is essentially gone. However, what is left are the various settings that were changed. In this case, those changes are definitely malicious, but calling it "malicious code" is somewhat misleading. They do have an effect, but my understanding is that malware 'treatment', much like medical treatment, aims to deal with the causes and not the symptoms.

I don't know the technical information about DNS changer and how precisely it works particularly with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Geek9pm: No router has the web-administration feature enabled by default, and I would hope people that do enable it have changed the password and username from the default!

I believe google and facebook warn users whose DNS is redirected as well, though I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.

Geek-9pm · « **Reply #20 on:** July 08, 2012, 12:10:15 AM »

BC, There is a list of the bad DNS IPs. You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway. At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.

Dr Jay · « **Reply #21 on:** July 08, 2012, 04:23:45 AM »

Quote from: evilfantasy on July 07, 2012, 03:18:08 PM

The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.

That still doesn't stop other blackhats/hackers from uploading mutated versions (of the rootkit) and distributing them in a different botnet. There could be double-agent activity going on!

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Sometimes the DNS check tool can be inaccurate, because of newer botnets appearing, as I explained above.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that.

Routers can be infected, and CAN BE RESET to clear infection. I have experience with this. It is possible to get rid of any issues with a router by either deleting and reinstalling the firmware, or doing a 30/30/30 reset.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I don't know the technical information about DNS changer and how precisely it works particularly with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Sure fooled me on the vague technical info in the previous paragraph. The rootkit is specialized to deal with all types of routers, as it has comprised lists of settings.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I believe google and facebook warn users whose DNS is redirected as well, though I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.

Yes they do give warnings. Google especially, as they will revoke your access to the site because of it.

Quote from: Geek-9pm on July 08, 2012, 12:10:15 AM

BC, There is a list of the bad DNS IPs. You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway. At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.

All Promnet/UkrTelegroup are controlled through the FBI. I'm sure there are others, but newer botnets are not being detected yet.

FBI will essentially close all DNS servers (rogue) tomorrow.

SuperDave · « **Reply #22 on:** July 09, 2012, 04:33:37 PM »

211,000 users affected by the FBI shutdown of the temp. sites. Not as bad as some had feared.

Dr Jay · « **Reply #23 on:** July 09, 2012, 05:08:24 PM »

Wrapping Up DNSChanger case

AlienBZ · « **Reply #24 on:** July 30, 2012, 04:16:16 AM »

As for me, a classmate from school sent me an email about this govt. internet cutoff thing back in Nov. 2011, and from scanning this thread, I realize that I had been needlessly worried.

I understand (I think) now that it was basically the servers that were up to no good and their users that were the real victims - b/c now they can no longer get online since the FBI (govt. dept) cut 'em offline.

And I never had a problem with DNS or whatever.

Geek-9pm · « **Reply #25 on:** July 30, 2012, 11:32:09 AM »

See post #23 above.

This specific issue of DNS Changer is over. However, malware is still a problem. And changing networks settings is still one way criminal minds use to hijack your computer.

batlon13 · « **Reply #26 on:** August 30, 2012, 12:36:52 AM »

I was not received any message from internet company and the facebook. thats why my internet didn't be cut.

Computer Hope Forum

News:

Author Topic: Internet service to be cut July 9 (Read 15549 times)

SuperDave

Helpmeh

overthehill

evilfantasy

overthehill

Geek-9pm

Dr Jay

Ryuk

Geek-9pm

Ryuk

Geek-9pm

Dr Jay

Geek-9pm

Dr Jay

Computer_Commando

evilfantasy

Computer_Commando

overthehill

Geek-9pm

BC_Programmer

Geek-9pm

Dr Jay

SuperDave

Dr Jay

AlienBZ

Geek-9pm

batlon13