Information: “Will Your Browser Go Dark on March 8?” (DNSChanger attack left overs)

Will Your Browser Go Dark on March 8? (DNSChanger attack left overs)
PC Magazine
This cyber criminal ring had infected about 4 million machines with malware worldwide, about half a million of them in the United States. FBI caught ’em. End of story, right? Well, not entirely. First, it’s important to understand what DNSChanger did….
http://securitywatch.pcmag.com/malware/293327-will-your-browser-go-dark-on-march-8 
“Yes, the FBI also offered a page to help with this problem. ….”
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

“Mustaca’s blog post explains how to determine whether your system is affected…..”
Avira DNS-Repair-Tool released
http://techblog.avira.com/2012/01/23/avira-dns-repair-tool-released/en/


NOTES you can also try a quick instant check for botnet infection here….

Online Tool Developed to Check for Botnet Activity   [wrkx w/ Netbooks]
BotnetChecker.Com
Go To: http://botnetchecker.com/
PRWeb via Yahoo! News Wed, 12 Dec 2007 5:00 AM PST
http://news.yahoo.com/s/prweb/20071212/bs_prweb/prweb575432_1
It is estimated that 1 in 4 computers on the internet today are part of a botnet. After observing bot activity from thousands of compromised computers, local administrator develops easy way to check for botnet activity.

Trend Micro RUBotted (free) 4-5* (Detect only) [wrkx w/ Netbooks]
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
Malicious software called Bots can secretly take control of computers and make them participate in networks called “Botnets.” These networks can harness massive computing power and Internet bandwidth to relay spam, attack web servers, infect more computers, and perform other illicit activities.
Security experts believe that millions of computers have already joined Botnets without the knowledge of their owners. By using remotely-controlled computers, the criminals in charge of the Botnets try to remain anonymous and elude authorities seeking to prosecute them. RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.

ADVANCED:

Bothunter – Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Bothunter
BotHunter is a free utility for Windows XP and Unix, which aims at detecting botnet activity within a network. It does so by analyzing network traffic and …
http://www.bothunter.net/ 

PLEASE SEE MY REPLIES FOR FURTHER INFORMATION AND REMOVALS….

Advertisements

One Response to “Information: “Will Your Browser Go Dark on March 8?” (DNSChanger attack left overs)”

  1. bluecollarpc Says:

    BELOW IS MOST OF WHAT THE AVIRA TOOL IS DOING WITH A CLICK ….

    Hi all….. one area that is common with this area of malware changes is malware getting into the PC and changing “Hosts Files” for a redirect usually to more malicious websites for nefarious reasons. There are more key words for search such as “IP Spoofing” and “DNS Cache Poisoning” ….

    http://www.webopedia.com/TERM/I/IP_spoofing.html
    http://en.wikipedia.org/wiki/DNS_cache_poisoning

    This is off the cuff but from years of experience with the “badware” as it is sometimes called for a universal term covering all and all they do. I am throwing an educated guess at the payload involved and may even involve some
    variants or residuals on individual basis per handfuls here and there of hundreds to thousands of personal computers. A Botherder or Botmaster is a Command and Control console type arrangement the culprit (s ) runs and attempts clandestine contact to infected computers that can go into the millions – but to partially set some aside to test out how their malware payload is holding up against detection. They may have purposely infected the handfuls with variants of the payload in an attempt to resurrect the whole episode all over again. They (cyber criminals) have become very, very
    sophisticated anymore. Any phrase like “doomsday” today can actually be no exaggeration anymore.

    The measures taken here by the FBI et al are unprecedented and on the scale of “State Sanctioned”. It has been obviously a measure not only to attempt correction and for protection of all infected computers and their users
    private data – but to keep internet commerce itself alive, as the loss of millions would obviously have a large effect.

    I admittedly only perform some amateur forensics and would need probably days upon days upon days to do a write up for full manual removal and correction of an affected system. I most likely could find the actual
    payload, as there are handfuls of company online search engines for just that. But, if one has a little savvy and wants to attempt further manual removal of the malware to avoid cost at a PC Repair Shop – here are some
    tips. Mind you, in this case a Shop will obviously advise to reinstall Windows after completely wiping (erasing) the disk first – a common automatic procedure with a Windows CD/DVD or if you have made an Emergency
    CD Repair CD/DVD. (I would advise do NOT hit “Repair” but go ahead and back up all files first you wish to save and the completely reinstall Windows and THEN also scan the backed up files for malware before reinstalling to the PC
    now in Factory Fresh condition. )

    REVIEW THIS FOR HOSTS FILES….
    Blocking Unwanted Parasites with a Hosts File
    http://winhelp2002.mvps.org/hosts.htm
    (In other words in this area you are looking for how to Restore your Hosts
    Files before infection that changed them.)

    How can I reset the Hosts file back to the default?
    http://support.microsoft.com/kb/972034
    MICROSOFT FIX IT TOOL ***** HOSTS FILES

    ALSO….
    How to reset Internet Protocol (TCP/IP)
    http://support.microsoft.com/kb/299357

    A Point of Entry and Attack is the firewall that may even have been circumvented.
    Tunneling to circumvent firewall policy
    http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy
    You may want to uninstall it and clean up left over files and registry
    entries (Registry Cleaner) …
    Here is about the best and indeed they have finally released a free home
    version ….
    PowerTools Lite 2011 [Genuine Freeware]
    – The Freeware Registry and System Cleaner
    http://www.macecraft.com/powertoolslite2011/
    (Which is of course by the famous jv16 PowerTools – by far the top
    recommended for a decade, about. )

    YUCK… one more area to review….

    TCP reset attack
    From Wikipedia, the free encyclopedia
    http://en.wikipedia.org/wiki/TCP_reset_attack

    Bottom line….Above was posted for review, and hastily, if there are still problems and if need be to mention in the event of a necessary trip to the PC Repair Shop. Attempt recommended Avira Tool in these emails as advised.
    Check out the US CERT links if needed or as double check after Avira clean
    up – there is a link for detection at the FBI sight for anyone fearing
    infection I believe. (Avira has consistently had one of the best
    detection/blocking/removal ratings for years – visit VirusTotal).

    AS I SUSPECTED THERE ARE MANY VARIANTS …… LIST (omg There are 23 variants presently ! ! ! – (Absolutely a Shop will advise to reinstall Windows without batting an eye)

    *COMPUTER ASSOCIATES*
    SOURCE / ONLINE SEARCH ENGINE AND TYPE IN “DNSChanger” as malware payload
    look up…
    CA Spyware Information Center (Search Engine)
    http://www3.ca.com/securityadvisor/pest/
    CA Spyware Information Center search engine (ComputerAssociates, makers of
    PestPatrol and many security wares)
    (*Malware search engine look up is top right)

    SEARCH RESULTS: (hot links at results link for each below)
    http://www.ca.com/us/search/default.aspx?q=dnschanger&sk=findthreat&backUrl=http%3A%2F%2Fwww.ca.com%2Fus%2Fspyware.aspx
    1 DNSChanger B – CA Technologies Quick View
    Description: DNSChanger B
    Size: 36 KBDate: 01/09/20072 DNSChanger P – CA Technologies Quick View

    Description: DNSChanger P
    Size: 36 KBDate: 02/22/20123 DNSChanger P – CA Quick View

    Description: DNSChanger P
    Size: 50 KBDate: 11/20/20094 DNSChanger G – CA Technologies Quick View

    Description: DNSChanger G
    Size: 37 KBDate: 02/19/20125 DNSChanger C – CA Technologies Quick View

    Description: DNSChanger C
    Size: 36 KBDate: 04/19/20076 DNSChanger S – CA Technologies Quick View

    Description: DNSChanger S
    Size: 36 KBDate: 02/22/20127 DNSChanger U – CA Technologies Quick View

    Description: DNSChanger U
    Size: 36 KBDate: 01/29/20108 DNSChanger T – CA Technologies Quick View

    Description: DNSChanger T
    Size: 36 KBDate: 01/29/20109 DNSChanger M – CA Technologies Quick View

    Description: DNSChanger M
    Size: 36 KBDate: 02/21/201210 DNSChanger L – CA Technologies Quick View

    Description: DNSChanger L
    Size: 36 KBDate: 07/17/200911 DNSChanger – CA Technologies Quick View

    Description: DNSChanger
    Size: 36 KBDate: 06/14/200612 DNSChanger r – CA Technologies Quick View

    Description: DNSChanger r
    Size: 36 KBDate: 02/21/201213 DNSChanger I – CA Technologies Quick View

    Description: DNSChanger I
    Size: 36 KBDate: 02/20/201214 DNSChanger azf – CA Technologies Quick View

    Description: DNSChanger azf
    Size: 36 KBDate: 02/20/201215 DNSChanger H – CA Technologies Quick View

    Description: DNSChanger H
    Size: 36 KBDate: 02/19/201216 DNSChanger E – CA Technologies Quick View

    Description: DNSChanger E
    Size: 37 KBDate: 11/26/200717 DNSChanger D – CA Technologies Quick View

    Description: DNSChanger D
    Size: 37 KBDate: 02/19/201218 DNSChanger k – CA Technologies Quick View

    Description: DNSChanger k
    Size: 36 KBDate: 08/04/200819 DNSChanger A – CA Technologies Quick View

    Description: DNSChanger A
    Size: 36 KBDate: 07/29/200820 DNSChanger ayy – CA Technologies Quick View

    Description: DNSChanger ayy
    Size: 36 KBDate: 02/05/201221 DNSChanger arn – CA Technologies Quick View

    Description: DNSChanger arn
    Size: 36 KBDate: 03/11/200822 DNSChanger aum – CA Technologies Quick View

    Description: DNSChanger aum
    Size: 36 KBDate: 03/11/200823 DNSChanger F – CA Technologies Quick View

    Description: DNSChanger F
    Size: 37 KBDate: 02/19/2012
    ——–>

    BASIC PAYLOAD…..
    DNSChanger
    Date Published:
    Wednesday, June 14, 2006
    Alias
    W32/Backdoor.KGE [F-Prot Antivirus]
    Overall Risk : HIGH
    Category
    Trojan: Any program with a hidden intent. Trojans are one of the leading
    causes of breaking into machines. If you pull down a program from a chat
    room, new group, or even from unsolicited e-mail, then the program is likely
    trojaned with some subversive purpose. The word Trojan can be used as a
    verb: To trojan a program is to add subversive functionality to an existing
    program. For example, a trojaned login program might be programmed to accept
    a certain password for any user’s account that the hacker can use to log
    back into the system at any time. Rootkits often contain a suite of such
    trojaned programs.
    Date of Origin
    date of origin: Variants from September, 2009 to September, 2009
    Operation
    DNSChanger: at least DNSChangerKB
    Files:
    [tn]dnschanger.exe
    2701526
    hgqhp.exe
    kdrgh.exe
    virtue_7884154
    kdrgh.exe
    hgqhp.exe
    [tn]dnschanger.exe

    WEBMASTER / http://www.bluecollarpc.us/

    Gerald / PS – a quality real time protection antimalware installed no doubt
    would have blocked this infection and variants to date. Cyber Crime Units
    have about the rest of all information needed no doubt by now with
    professional forensics performed.


Comments are closed.

%d bloggers like this: