Solve : Internet service to be cut July 9?

Quote from: DragonMaster Jay on July 07, 2012, 02:03:30 AM

Whomever is keeping the DNSChanger botnet alive is being tracked down.

The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.

Quote from: fbi.gov

Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to DEPLOY and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

http://www.fbi.gov/news/stories/2011/november/malware_110911Check your computer here: http://www.dns-ok.us/I'd just like to say a big THANKS to the "Pros" here at CH that were willing to share their expertise with those of us that are less informed. To some, this DNS Changer is a bid deal. Now whether or not this ENDS up being another Y2K scare or not, we'll see. Nevertheless I'd just like to once again, say thanks for your help. overthehillQuote from: Computer_Commando on July 07, 2012, 05:19:32 PM

Check your computer here: http://www.dns-ok.us/

Works for me. Recommended.I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that. One could argue that maliciously intentioned settings are as much an infection as maliciously intentioned executable code, but malicious settings can never do nearly as much damage as malicous code, since it's still confined to the capabilities of the program that uses those settings. Those settings can open holes to new infections, of course, and are CERTAINLY (as in this case) dangerous. In this case, the computer gets infected, the malware changes the hosts file and/or manages to push changes to the router, and goes on. The infection itself is only the executable trojan horse; remove that, and the infection is essentially gone. However, what is left are the various settings that were changed. In this case, those changes are definitely malicious, but calling it "malicious code" is somewhat misleading. They do have an effect, but my understanding is that malware 'treatment', much like medical treatment, aims to deal with the causes and not the symptoms.


I don't know the technical information about DNS changer and how precisely it works PARTICULARLY with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Geek9pm: No router has the web-administration feature enabled by default, and I would hope people that do enable it have changed the password and username from the default!

I believe google and facebook warn users whose DNS is redirected as well, though I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.
BC, There is a list of the bad DNS IPs. You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway. At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.
Quote from: evilfantasy on July 07, 2012, 03:18:08 PM

The FBI is in control of the malicious servers. They are taking the temporary clean servers offline and it will result in those still infected to loose Internet access.

That still doesn't stop other blackhats/hackers from uploading mutated versions (of the rootkit) and distributing them in a different botnet. There could be double-agent activity going on!


Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I'm unsure how the "DNS check" tool could not work in this case; I believe it is as simple as determining if DNS requests get sent to the IP's that are now controlled by the FBI. This would cover maliciously changed DNS settings in both the router (via changing DNS settings from the typical default of DHCP acquired) and the machine itself (via the hosts file).

Sometimes the DNS check tool can be inaccurate, because of newer botnets appearing, as I explained above.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

Routers cannot be 'infected' per se (well, they can, by forcing a malicious firmware to them, but since that differs between models and is rather involved it's not really as economic from the malicious authors point of view as just fiddling with the settings. Also, in that case a reset wouldn't resolve the problem either, since it just wipes the settings memory, and the malicious code would remain. so thank goodness for that.

Routers can be infected, and CAN BE RESET to clear infection. I have experience with this. It is possible to get rid of any issues with a router by either deleting and reinstalling the firmware, or doing a 30/30/30 reset.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I don't know the technical information about DNS changer and how precisely it works particularly with regard to routers, but it's reasonable to assume it only works on a subset of routers, likely chosen to maximize the ability of the trojan to change settings by targeting popular routers. Each one would need to be dealt with "specially" by the trojan, since each one has a different web interface, so it needs to know the sequence of http requests to send to the device in order to change the DNS settings.

Sure fooled me on the vague technical info in the previous paragraph. The rootkit is specialized to deal with all types of routers, as it has comprised lists of settings.

Quote from: BC_Programmer on July 07, 2012, 09:55:44 PM

I believe google and facebook warn users whose DNS is redirected as well, though I cannot find any confirmation on that. If so, I would imagine most of the less tech savvy use at least one of those sites, which means that they have essentially ignored warnings telling them what is going to happen anyway.

Yes they do give warnings. Google especially, as they will revoke your access to the site because of it.


Quote from: Geek-9pm on July 08, 2012, 12:10:15 AM

BC, There is a list of the bad DNS IPs. You could set your DNS to use one of them. Then when you run the test given above you will get a red flag. The 'BAD' DNS are now controlled by the FBI, so they are harmless, but they will trigger the warning when you do then test.

If you go to the check using good DNS, you get the green page. If you go to the site via a BAD DNS you will be directed to the red page. That is what DNS redirection is all about anyway. At any moment in time, not all DNS sites are in sync.

Early versions of DNSChanger are still using the IPs that the FBI now controls.

It is kind of hard to explain this in layman terms. In effect, the FBI highjacked the DNS IPs from the cyber criminals.

All Promnet/UkrTelegroup are controlled through the FBI. I'm sure there are others, but newer botnets are not being detected yet.

FBI will essentially close all DNS servers (rogue) tomorrow.211,000 users affected by the FBI shutdown of the temp. sites. Not as bad as some had feared.Wrapping Up DNSChanger caseAs for me, a classmate from school sent me an email about this govt. internet cutoff thing back in Nov. 2011, and from scanning this thread, I realize that I had been needlessly worried.

I understand (I THINK) now that it was basically the servers that were up to no good and their users that were the real victims - b/c now they can no longer get online since the FBI (govt. dept) cut 'em offline.

And I never had a problem with DNS or whatever. See post #23 above.

This specific issue of DNS Changer is over. However, malware is still a problem. And changing networks settings is still one way criminal minds use to hijack your computer.I was not received any message from internet company and the facebook. thats why my internet didn't be cut.