homepage Welcome to WebmasterWorld Guest from 54.167.75.155
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
DNSChanger Malware and Botnet Shutdown Will Cut 300,000 Off The Net
engine




msg:4472716
 9:08 am on Jul 5, 2012 (gmt 0)

I think we can expect some confusion next week from the 300,000 that had no idea they had a malware infestation.

DNSChanger Malware and Botnet Shutdown Will Cut 300,000 Off The Net [pcpro.co.uk]

The FBI will pull the plug on DNSChanger servers next week, leaving thousands of people without internet access - but such "tough love" is necessary to protect the internet, say experts.

DNSChanger does exactly what the name suggests, fiddling with DNS settings to maliciously redirect users via its command and control servers to different sites. On Monday, the FBI will shut down those servers, leaving as many as 300,000 PCs worldwide - and 19,589 in the UK, as of last month - with the wrong DNS settings and unable to access the web, unless they take the unusual step of directly entering IP addresses into the browser.

 

g1smd




msg:4472855
 4:16 pm on Jul 5, 2012 (gmt 0)

I thought this happened this time last year?

Is this a new episode or an inadvertently recycled story?

incrediBILL




msg:4473427
 3:56 am on Jul 7, 2012 (gmt 0)

Monday is the day, POOF! Offline for many.

More posted on CNN:
[money.cnn.com...]

Hundreds of thousands of Internet users whose computers are infected with a particularly nasty virus will be unable to access the Web starting on Monday

Kendo




msg:4473432
 4:54 am on Jul 7, 2012 (gmt 0)

I'm hoping that this only affects modems that are using default passwords or no password.

frankbomarito




msg:4473440
 6:05 am on Jul 7, 2012 (gmt 0)

y2k redux?

gouri




msg:4473487
 3:33 pm on Jul 7, 2012 (gmt 0)

Can someone tell me how to check the SOHO router settings?

Also, is there any way of checking if I changed the default password when the the router was installed because I am not sure what I did at that time?

netmeg




msg:4473504
 5:19 pm on Jul 7, 2012 (gmt 0)

wonder if this is any way connected with my bot attack (or something similar)

swa66




msg:4473506
 5:33 pm on Jul 7, 2012 (gmt 0)

To test if you're using the DNS settings from the malware (and hence will not be able to resolve domainnnames come next Monday, surf here:
[dns-ok.us...]
[US centric, other similar ones exist too]

This has hit the press many times before, if you do not live in a cave -without Internet- you've heard of this many times already.

In addition, ISPs around the globe have been warning affected users for many months.

As far as I'm concerned: Good riddance if they still have not cleaned up their malware. We should not tolerate their negligence. And cutting them off will be the only way to get those that remain infected to finally act.

Unfortunately some ISPs will continue to provide service to the infected by intercepting the DNS requests on their network and still answering them. A pity if you ask me as it means those customers will still not clean up their act.

gouri




msg:4473512
 6:37 pm on Jul 7, 2012 (gmt 0)

@swa66,

I looked at the website that you mentioned, and it said ok.

I was doing further research, and I read that on home computers, the default gateway and DNS servers might be set to a certain IP address, but your computer might be using one of the bad DNS servers and to check for that, the SOHO router settings have to be accessed.

I am not familiar with how to do this. I believe that I have a DSL modem, and I am also not sure if this is the same thing as a router.

After checking on the website that you mentioned, is there anything more that I should do?

Thanks.

swa66




msg:4473536
 9:40 pm on Jul 7, 2012 (gmt 0)

@gouri

Don't believe everything you read on the Internet ;-)

The test I linked to: if it says ok now, it will work on Monday. Best to stop worrying.

Regardless of how your setup is built (modem, router, wired, wireless, DSL, cable, ... ): if that test says ok, then your settings are ok.

There's only one exception possible: but even if it's the case, then it will most likely persist past Monday: your ISP might be intercepting DNS requests to the "bad" server and answering them themselves with the right answers - in that case the test I linked to failed and you might have the malware and/or its settings on your system. But any responsible ISP doing that would have contacted you by now and/or will continue to provide this past Monday.

Bottom line:
  • if [dns-ok.us...] lights up green: no worries,
  • if it's not green: clean up your PC asap, the deadline is Monday.
  • if your ISP told you you have the problem: it might overrule the green above.

If you have the problem many places like facebook, google etc. would have popped up warnings as well in the past months.

gouri




msg:4473576
 1:32 am on Jul 8, 2012 (gmt 0)

@swa66,

Thanks for the response.

It is really informative.

motorhaven




msg:4473583
 3:46 am on Jul 8, 2012 (gmt 0)

Since the FBI has control over the servers, why not do a simple redirect of all DNS queries to an FBI hosted site detailing that the computer is infected and steps to clean it up? Simple and effective approach compared to their shotgun method.

incrediBILL




msg:4473585
 3:56 am on Jul 8, 2012 (gmt 0)

why not do a simple redirect of all DNS queries to an FBI hosted site


That would've been my approach from the beginning.

I would've made all internet requests that hit those DNS servers redirect them all to a page telling them they're infected and it needs to get fixed, basically no internet except the site to fix the problem. Makes more sense than just plunging them into internet darkness which doesn't help anyone and will needlessly cause a huge high volume tech support nightmare for the ISPs come Monday.

Doesn't seem like the ISPs care or they'd be doing something about it, perhaps intercepting requests to those DNS servers and redirecting to their DNS servers.

Sometimes I guess it's easier to just let nature take it's course and the infected will learn the hard way what happens when you don't secure your gear.

opraus




msg:4473621
 9:55 am on Jul 8, 2012 (gmt 0)

300k / 1b = 1 in every 3,333. Or, 0.033%

IanCP




msg:4473741
 5:50 am on Jul 9, 2012 (gmt 0)

I'd be utterly shocked if any regular WebmasterWorld member would be affected.

Now an estimated 300,000 [high side] internationally, are alleged to be affected. FBI suspect figures.

In Australia we are solemnly informed that includes 6,000 Australians. What % of internet users world-wide does 300,000 comprise?

My view is that likely they comprise the bottom end of users who will click on anything, say yes to anything and don't even take primitive security measures. They are beyond help.

Some people can't ever be protected from themselves. At this very minute? None are aware of measures freely available to circumvent the problem.

Beyond help. If this story is true, 6,000 people will tomorrow be hammering Australian ISP's for their own stupidity.

henry0




msg:4473819
 1:53 pm on Jul 9, 2012 (gmt 0)

I'd be utterly shocked if any regular WebmasterWorld member would be affected.

IMHO That's not the point, the value lies in reminding any webmaster dealing with general users to be aware of what's going on.
I know by experience that too many non tech users are really sloppy :)

incrediBILL




msg:4473906
 8:44 pm on Jul 9, 2012 (gmt 0)

The most amusing part of this today has been reading the asinine comments some are leaving around the web about it being overblown and over-hyped just because it didn't impact anyone they know. I'm pretty sure if the FBI claimed it would impact 300K or so computers that they were using an actual count of IP addresses that were accessing those servers they were keeping online.

Hint - those people are now offline.

You won't hear from them for a while :)

Seriously, just because someone didn't hear the bear fart in the forest doesn't mean a tree didn't fall.

Sheesh.

akmac




msg:4475529
 11:28 pm on Jul 13, 2012 (gmt 0)

Bunch of nonsense. There hasn't been a single reported case o

Leosghost




msg:4475530
 11:42 pm on Jul 13, 2012 (gmt 0)

Thing is ..if they can't get on "the net"..how would they "report" anything..:)

If they have access to another machine and try to find out what is "wrong" by typing say "why can't I get on the net"..they'll find out ..realise that they were infected for a long long time ..probably via surfing pron or warez..and that questions might be asked.. :)

Are they going to tell ?

Or are the local PC repair shops just going to get an influx of .."can you fix this" ..

I've cleaned machines of "nasties" picked up whilst their owners were surfing for pron and warez and clicking on anything and everything ..told them that their history told me or anyone else what they had been doing, and where they had been going and what they had been searching..( only found one instance of a machine with temp files full of searches for and pics of child pron, and reported it immediately to mates in the Gendarmerie ) ..and that is just like most of us.. "fixing machines for people that we know" and who ask if we can have a look ( software or hardware )..not running a pc repair shop..

It's the kind of thing that you might mention in passing in a tech fora one day ..or not ..but you are not going to report every instance..nor are the PC repair shops ..they have better things to do..

"silent stats" ..just like the people who abandon shopping carts etc without ever saying why..happens ..but they don't make a song and dance about it..

IanCP




msg:4475571
 5:50 am on Jul 14, 2012 (gmt 0)

Consumed some "needed to fill" space in the media though.

Next shock, horror, scandal, fear, tragedy?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved