Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Internet service to be cut July 9  (Read 15436 times)

0 Members and 1 Guest are viewing this topic.

evilfantasy

  • Malware Removal Specialist


  • Genius
  • Calm like a bomb
  • Thanked: 493
  • Experience: Experienced
  • OS: Windows 11
Re: Internet service to be cut July 9
« Reply #15 on: July 07, 2012, 03:18:08 PM »
Whomever is keeping the DNSChanger botnet alive is being tracked down.

The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.

Quote from: fbi.gov
Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

http://www.fbi.gov/news/stories/2011/november/malware_110911

Computer_Commando



    Hacker
  • Thanked: 494
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #16 on: July 07, 2012, 05:19:32 PM »
Check your computer here:  http://www.dns-ok.us/

overthehill



    Apprentice

  • Keep Canada beautiful. Swallow your beer cans.
  • Thanked: 14
    • Yes
    • Yes
  • Experience: Familiar
  • OS: Windows Vista
Re: Internet service to be cut July 9
« Reply #17 on: July 07, 2012, 07:24:57 PM »
I'd just like to say a big THANKS to the "Pros" here at CH that were willing to share their expertise with those of us that are less informed. To some, this DNS Changer is a bid deal. Now whether or not this ends up being another Y2K scare or not, we'll see. Nevertheless I'd just like to once again, say thanks for your help. overthehill


             

Geek-9pm


    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #18 on: July 07, 2012, 09:02:06 PM »
Check your computer here:  http://www.dns-ok.us/
Works for me. Recommended.

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1140
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 11
Re: Internet service to be cut July 9
« Reply #19 on: July 07, 2012, 09:55:44 PM »
I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that. One could argue that maliciously intentioned settings are as much an infection as maliciously intentioned executable code, but malicious settings can never do nearly as much damage as malicous code, since it's still confined to the capabilities of the program that uses those settings. Those settings can open holes to new infections, of course, and are certainly (as in this case) dangerous. In this case, the computer gets infected, the malware changes the hosts file and/or manages to push changes to the router, and goes on. The infection itself is only the executable trojan horse; remove that, and the infection is essentially gone. However, what is left are the various settings that were changed. In this case, those changes are definitely malicious, but calling it "malicious code" is somewhat misleading. They do have an effect, but my understanding is that malware 'treatment', much like medical treatment, aims to deal with the causes and not the symptoms.


I don't know the technical information about DNS changer and how precisely it works particularly with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Geek9pm: No router has the web-administration feature enabled by default, and I would hope people that do enable it have changed the password and username from the default!

I believe google and facebook warn users whose DNS is redirected as well, though  I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.
I was trying to dereference Null Pointers before it was cool.

Geek-9pm


    Mastermind
  • Geek After Dark
  • Thanked: 1026
    • Gekk9pm bnlog
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #20 on: July 08, 2012, 12:10:15 AM »
BC, There is a list of the bad DNS IPs.  You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway.  At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.

Dr Jay

  • Malware Removal Specialist


  • Specialist
  • Moderator emeritus
  • Thanked: 119
  • Experience: Guru
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #21 on: July 08, 2012, 04:23:45 AM »
The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.
That still doesn't stop other blackhats/hackers from uploading mutated versions (of the rootkit) and distributing them in a different botnet. There could be double-agent activity going on!


I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Sometimes the DNS check tool can be inaccurate, because of newer botnets appearing, as I explained above.

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that.

Routers can be infected, and CAN BE RESET to clear infection. I have experience with this. It is possible to get rid of any issues with a router by either deleting and reinstalling the firmware, or doing a 30/30/30 reset.

I don't know the technical information about DNS changer and how precisely it works particularly with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Sure fooled me on the vague technical info in the previous paragraph. The rootkit is specialized to deal with all types of routers, as it has comprised lists of settings.

I believe google and facebook warn users whose DNS is redirected as well, though  I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.

Yes they do give warnings. Google especially, as they will revoke your access to the site because of it.


BC, There is a list of the bad DNS IPs.  You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway.  At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.

All Promnet/UkrTelegroup are controlled through the FBI. I'm sure there are others, but newer botnets are not being detected yet.

FBI will essentially close all DNS servers (rogue) tomorrow.
~Dr Jay

SuperDave

    Topic Starter
  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #22 on: July 09, 2012, 04:33:37 PM »
211,000 users affected by the FBI shutdown of the temp. sites. Not as bad as some had feared.
Windows 8 and Windows 10 dual boot with two SSD's

Dr Jay

  • Malware Removal Specialist


  • Specialist
  • Moderator emeritus
  • Thanked: 119
  • Experience: Guru
  • OS: Windows 10
Re: Internet service to be cut July 9
« Reply #23 on: July 09, 2012, 05:08:24 PM »
~Dr Jay

AlienBZ



    Rookie

    • Experience: Beginner
    • OS: Unknown
    Re: Internet service to be cut July 9
    « Reply #24 on: July 30, 2012, 04:16:16 AM »
    As for me, a classmate from school sent me an email about this govt. internet cutoff thing back in Nov. 2011, and from scanning this thread, I realize that I had been needlessly worried.

    I understand (I think) now that it was basically the servers that were up to no good and their users that were the real victims - b/c now they can no longer get online since the FBI (govt. dept) cut 'em offline.

    And I never had a problem with DNS or whatever. 

    Geek-9pm


      Mastermind
    • Geek After Dark
    • Thanked: 1026
      • Gekk9pm bnlog
    • Certifications: List
    • Computer: Specs
    • Experience: Expert
    • OS: Windows 10
    Re: Internet service to be cut July 9
    « Reply #25 on: July 30, 2012, 11:32:09 AM »
    See post #23 above.

    This specific issue of DNS Changer is over. However, malware is still a problem. And changing networks settings is still one way criminal minds use to hijack your computer.

    batlon13



      Rookie
      • Experience: Experienced
      • OS: Windows 7
      Re: Internet service to be cut July 9
      « Reply #26 on: August 30, 2012, 12:36:52 AM »
      I was not received any message from internet company and the facebook. thats why my internet didn't be cut.