DNSCHanger Malware Removal – Notes Show All (Internet goes dark March 8)

DNSCHanger Malware Removal – Notes Show All (Internet goes dark March 8)

BELOW IS MOST OF WHAT THE AVIRA TOOL IS DOING WITH A CLICK ….

Tool available for those affected by the DNS-Changer
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

The Truth About the March 8 Internet Doomsday
http://www.pcworld.com/article/250296/the_truth_about_the_march_8_internet_doomsday.html#tk.nl_spx_t_cbintro

US-CERT Current Activity – DNSChanger Malware
http://www.us-cert.gov/current/index.html
http://www.us-cert.gov/current/index.html#operation_ghost_click_malware

Hi all….. one area that is common with this area of malware changes is malware getting into the PC and changing “Hosts Files” for a redirect usually to more malicious websites for nefarious reasons. There are more key words for search such as “IP Spoofing” and “DNS Cache Poisoning” ….

http://www.webopedia.com/TERM/I/IP_spoofing.html
http://en.wikipedia.org/wiki/DNS_cache_poisoning

This is off the cuff but from years of experience with the “badware” as it is sometimes called for a universal term covering all and all they do. I am throwing an educated guess at the payload involved and may even involve some variants or residuals on individual basis per handfuls here and there of hundreds to thousands of personal computers. A Botherder or Botmaster is a Command and Control console type arrangement the culprit (s ) runs and attempts clandestine contact to infected computers that can go into the millions – but to partially set some aside to test out how their malware payload is holding up against detection. They may have purposely infected the handfuls with variants of the payload in an attempt to resurrect the whole episode all over again. They (cyber criminals) have become very, very sophisticated anymore. Any phrase like “doomsday” today can actually be no exaggeration anymore.

The measures taken here by the FBI et al are unprecedented and on the scale of “State Sanctioned”. It has been obviously a measure not only to attempt correction and for protection of all infected computers and their users private data – but to keep internet commerce itself alive, as the loss of millions would obviously have a large effect.

I admittedly only perform some amateur forensics and would need probably days upon days upon days to do a write up for full manual removal and correction of an affected system. I most likely could find the actual payload, as there are handfuls of company online search engines for just that. But, if one has a little savvy and wants to attempt further manual removal of the malware to avoid cost at a PC Repair Shop – here are some tips. Mind you, in this case a Shop will obviously advise to reinstall Windows after completely wiping (erasing) the disk first – a common automatic procedure with a Windows CD/DVD or if you have made an Emergency CD Repair CD/DVD. (I would advise do NOT hit “Repair” but go ahead and back up all files first you wish to save and the completely reinstall Windows and THEN also scan the backed up files for malware before reinstalling to the PC now in Factory Fresh condition. )

REVIEW THIS FOR HOSTS FILES….
Blocking Unwanted Parasites with a Hosts File
http://winhelp2002.mvps.org/hosts.htm
(In other words in this area you are looking for how to Restore your Hosts
Files before infection that changed them.)

How can I reset the Hosts file back to the default?
http://support.microsoft.com/kb/972034
MICROSOFT FIX IT TOOL ***** HOSTS FILES

ALSO….
How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/kb/299357

A Point of Entry and Attack is the firewall that may even have been circumvented.
Tunneling to circumvent firewall policy
http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy
You may want to uninstall it and clean up left over files and registry
entries (Registry Cleaner) … Here is about the best and indeed they have finally released a free home version ….
PowerTools Lite 2011 [Genuine Freeware]
– The Freeware Registry and System Cleaner
http://www.macecraft.com/powertoolslite2011/
(Which is of course by the famous jv16 PowerTools – by far the top recommended for a decade, about. )

YUCK… one more area to review….

TCP reset attack
From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/TCP_reset_attack

Bottom line….Above was posted for review, and hastily, if there are still problems and if need be to mention in the event of a necessary trip to the PC Repair Shop. Attempt recommended Avira Tool in these emails as advised. Check out the US CERT links if needed or as double check after Avira clean up – there is a link for detection at the FBI sight for anyone fearing infection I believe. (Avira has consistently had one of the best detection/blocking/removal ratings for years – visit VirusTotal).

AS I SUSPECTED THERE ARE MANY VARIANTS …… LIST (omg There are 23 variants presently ! ! ! – (Absolutely a Shop will advise to reinstall Windows without batting an eye)

*COMPUTER ASSOCIATES*
SOURCE / ONLINE SEARCH ENGINE AND TYPE IN “DNSChanger” as malware payload
look up…
CA Spyware Information Center (Search Engine)
http://www3.ca.com/securityadvisor/pest/
CA Spyware Information Center search engine (ComputerAssociates, makers of
PestPatrol and many security wares)
(*Malware search engine look up is top right)

SEARCH RESULTS: (hot links at results link for each below)
http://www.ca.com/us/search/default.aspx?q=dnschanger&sk=findthreat&backUrl=http%3A%2F%2Fwww.ca.com%2Fus%2Fspyware.aspx
1 DNSChanger B – CA Technologies Quick View
Description: DNSChanger B
Size: 36 KBDate: 01/09/20072 DNSChanger P – CA Technologies Quick View

Description: DNSChanger P
Size: 36 KBDate: 02/22/20123 DNSChanger P – CA Quick View

Description: DNSChanger P
Size: 50 KBDate: 11/20/20094 DNSChanger G – CA Technologies Quick View

Description: DNSChanger G
Size: 37 KBDate: 02/19/20125 DNSChanger C – CA Technologies Quick View

Description: DNSChanger C
Size: 36 KBDate: 04/19/20076 DNSChanger S – CA Technologies Quick View

Description: DNSChanger S
Size: 36 KBDate: 02/22/20127 DNSChanger U – CA Technologies Quick View

Description: DNSChanger U
Size: 36 KBDate: 01/29/20108 DNSChanger T – CA Technologies Quick View

Description: DNSChanger T
Size: 36 KBDate: 01/29/20109 DNSChanger M – CA Technologies Quick View

Description: DNSChanger M
Size: 36 KBDate: 02/21/201210 DNSChanger L – CA Technologies Quick View

Description: DNSChanger L
Size: 36 KBDate: 07/17/200911 DNSChanger – CA Technologies Quick View

Description: DNSChanger
Size: 36 KBDate: 06/14/200612 DNSChanger r – CA Technologies Quick View

Description: DNSChanger r
Size: 36 KBDate: 02/21/201213 DNSChanger I – CA Technologies Quick View

Description: DNSChanger I
Size: 36 KBDate: 02/20/201214 DNSChanger azf – CA Technologies Quick View

Description: DNSChanger azf
Size: 36 KBDate: 02/20/201215 DNSChanger H – CA Technologies Quick View

Description: DNSChanger H
Size: 36 KBDate: 02/19/201216 DNSChanger E – CA Technologies Quick View

Description: DNSChanger E
Size: 37 KBDate: 11/26/200717 DNSChanger D – CA Technologies Quick View

Description: DNSChanger D
Size: 37 KBDate: 02/19/201218 DNSChanger k – CA Technologies Quick View

Description: DNSChanger k
Size: 36 KBDate: 08/04/200819 DNSChanger A – CA Technologies Quick View

Description: DNSChanger A
Size: 36 KBDate: 07/29/200820 DNSChanger ayy – CA Technologies Quick View

Description: DNSChanger ayy
Size: 36 KBDate: 02/05/201221 DNSChanger arn – CA Technologies Quick View

Description: DNSChanger arn
Size: 36 KBDate: 03/11/200822 DNSChanger aum – CA Technologies Quick View

Description: DNSChanger aum
Size: 36 KBDate: 03/11/200823 DNSChanger F – CA Technologies Quick View

Description: DNSChanger F
Size: 37 KBDate: 02/19/2012
——–>

BASIC PAYLOAD…..
DNSChanger
Date Published:
Wednesday, June 14, 2006
Alias
W32/Backdoor.KGE [F-Prot Antivirus]
Overall Risk : HIGH
Category
Trojan: Any program with a hidden intent. Trojans are one of the leading
causes of breaking into machines. If you pull down a program from a chat
room, new group, or even from unsolicited e-mail, then the program is likely
trojaned with some subversive purpose. The word Trojan can be used as a
verb: To trojan a program is to add subversive functionality to an existing
program. For example, a trojaned login program might be programmed to accept
a certain password for any user’s account that the hacker can use to log
back into the system at any time. Rootkits often contain a suite of such
trojaned programs.
Date of Origin
date of origin: Variants from September, 2009 to September, 2009
Operation
DNSChanger: at least DNSChangerKB
Files:
[tn]dnschanger.exe
2701526
hgqhp.exe
kdrgh.exe
virtue_7884154
kdrgh.exe
hgqhp.exe
[tn]dnschanger.exe

WEBMASTER / http://www.bluecollarpc.us/

PS – a quality real time protection antimalware installed no doubt would have blocked this infection and variants to date. Cyber Crime Units have about the rest of all information needed no doubt by now with professional forensics performed.

 

Advertisements

One Response to “DNSCHanger Malware Removal – Notes Show All (Internet goes dark March 8)”

  1. bluecollarpc Says:

    HEADLINES…..

    FBI to blackout Trojan-infected servers on March 8
    GMA News
    Last November, the FBI took down the DNSChanger botnet network, which a cyber criminal gang used to redirect Internet traffic to fake websites that served ads. But to prevent Internet traffic from being disrupted and to trace the DNSChanger traffic, …
    http://www.gmanetwork.com/news/story/247650/scitech/technology/fbi-to-blackout-trojan-infected-servers-on-march-8

    March 8th Will Be Digital Doomsday?
    LimeLife (blog)
    There are reports that the agency could shut down Web servers for those systems and routers infected by the malware package called DNSChanger. The DNSChanger virus actually worked to change internet settings for those machines it infected, …
    http://www.limelife.com/blog-entry/March-8th-Will-Be-Digital-Doomsday/138756.html

    FBI to blackout Trojan-infected servers on March 8
    GMA News
    Last November, the FBI took down the DNSChanger botnet network, which a cyber criminal gang used to redirect Internet traffic to fake websites that served ads. But to prevent Internet traffic from being disrupted and to trace the DNSChanger traffic, …
    http://www.gmanetwork.com/news/story/247650/scitech/technology/fbi-to-blackout-trojan-infected-servers-on-march-8

    Avoid Internet Doomsday: Check for DNSChanger Malware Now
    PC Magazine
    The DNSChanger malware replaced the Domain Name System settings for the computers and routers it infected with addresses of malicious servers. When users tried to access certain websites, the rogue DNS servers redirected the Web traffic through other …
    http://www.pcmag.com/article2/0,2817,2401227,00.asp

    Security Slackers Risk Internet Blackout on March 8
    PCWorld
    That could represent a substantial number of users, too, as half of
    Fortune 500 companies and government agencies are infected with the
    malware, according to a new report. Back in November, the feds famously took down the DNSChanger botnet network, …
    http://www.pcworld.com/article/249238/security_slackers_risk_internet_blackout_on_march_8.html

    IRS among victims of internet servers infected by DNSChanger Trojan
    Greeley Gazette
    Here’s the worst part: The malware also prevents security updates and
    disables installed security software. The FBI has set March 8 as the
    deadline for private and government internet servers to have the
    maleware called the DNSChanger Trojan out of …
    http://www.greeleygazette.com/press/?p=13414

    Feds request DNS Changer extension to keep 400K users online
    Computerworld
    By Gregg Keizer Computerworld –
    Officials with the US government have asked a New York judge to extend an impending deadline that could sever ties to the Internet for hundreds
    of thousands of users infected with the “DNS Changer” malware.
    http://www.computerworld.com/s/article/9224491/Feds_request_DNS_Changer_extension_to_keep_400K_users_online

    Why computers infected with DNSChanger could lose Internet access
    GCN.com
    If those servers go offline as expected, computers still infected with
    malware directing DNS requests to those addresses will be effectively
    cut off from the internet. This gives administrators and home PC owners two more weeks to identify and remove …
    http://gcn.com/articles/2012/02/22/dnschanger-fbi-march-8-internet-cut-off.aspx

    Feds try to buy more time for DNSChanger cleanup
    GCN.com
    The malware directed Domain Name System queries to the ring’s DNS
    servers, which then sent traffic to malicious sites. After the arrests,
    the FBI seized more than 100 servers in the United States used in the
    ring and obtained a court order to operate …
    http://gcn.com/articles/2012/02/23/feds-petition-dnschanger-cleanup-internet-cutoff.aspx

    500000 zombie PCs imperiled as expiration of court order approaches
    Ars Technica
    “Extending the operation of the Replacement DNS Servers will provide
    additional time for victims to remove the malware from their computers,
    thereby enabling them to reach websites without relying on the
    Replacement DNS Servers,” the court motion …
    http://arstechnica.com/business/news/2012/02/500000-zombies-risk-death-as-dnschanger-court-order-nears-expiration.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

    DNSChanger poses a new threat to its victims
    Infosecurity Magazine
    24 February 2012
    The threat in the ides of March may come a week early this year for
    remaining DNSChanger victims – on the 8th of March to be precise.
    This is the date on which the FBI is planning to shut down its
    substitute servers; those servers it set up when it took down the
    DNSChanger botnet. An FBI report at the time outlined the issue: “One consequence of disabling the rogue DNS network is …
    http://www.infosecurity-magazine.com/view/24113/dnschanger-poses-a-new-threat-to-its-victims/

    US about to switch off millions of computers
    TechEye
    Six men accused of managing and profiting from the botnet are expected to be extradited from their native Estonia to face charges in the United States. DNSChanger modifies settings on a host PC that tells the computer how to find websites on the …
    http://news.techeye.net/security/us-about-to-switch-off-millions-of-computers

    Orphaned Bots Facing Internet Blackout
    Dark Reading
    By Kelly Jackson Higgins Botnet takedowns typically leave many orphaned bots in their wake: rarely do they leave still-infected machines cut off from the Internet, but that’s what is in store for hundreds of thousands of machines that have yet to be …
    http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232601288/orphaned-bots-facing-internet-blackout.html

    As deadline nears, federal agencies mostly free of DNSChanger
    GCN.com
    By William Jackson SAN FRANCISCO —
    Although millions of computers around the world could still contain the
    DNSChanger malware used by an Internet fraud ring, government agencies and large enterprises appear to have done a good job
    of cleaning up the …
    http://gcn.com/articles/2012/03/01/rsa-13-federal-dnschanger-cleanup.aspx

    Orphaned Bots Facing Internet Blackout
    Dark Reading
    By Kelly Jackson Higgins Botnet takedowns typically leave many orphaned bots in their wake: rarely do they leave still-infected machines cut off from the Internet, but that’s what is in store for hundreds of thousands of machines that have yet to be …
    http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232601288/orphaned-bots-facing-internet-blackout.html

    Feds Request More Time to Deal With DNS Changer Malware
    Patch.com
    On March 8, computers infected with a certain piece of malware may no
    longer be able to access the Internet unless a federal court judge
    grants an extension to keep temporary servers online. Users of computers infected with the DNS Changer malware have …
    http://dacula.patch.com/articles/feds-request-more-time-to-deal-with-dnschanger-malware

    Judge extends DNS Changer deadline as malware cleanup progresses
    Computerworld
    By Gregg Keizer Computerworld –
    A federal judge yesterday extended an operation that will keep hundreds of thousands of users infected with the “DNS Changer” malware connected to the Internet until they can
    scrub their machines. Meanwhile, Tacoma, Wash …
    http://www.computerworld.com/s/article/9224926/Judge_extends_DNS_Changer_deadline_as_malware_cleanup_progresses?taxonomyId=82

    FBI won’t cut off your Internet for another 4 months
    msnbc.com
    8 of last year, Estonian authorities busted a low-key cybercrime ring
    who’d used a variety of malware, collectively called “DNSChanger,”
    to infect approximately 4 million PCs, Macs and network routers
    worldwide and redirect those machines’ Web traffic …
    http://www.msnbc.msn.com/id/46644705/ns/technology_and_science-security/

    Computers infected with DNSChanger get a reprieve from internet cut off
    The Verge
    By Ryan Heise on March 7, 2012 06:12 am 4Comments
    The US government has secured an extension to keep computers infected with the DNSChanger malware connected to the internet until July 9th. The move prolongs the original date of March 8th set by the …
    http://www.theverge.com/2012/3/7/2850835/dnschanger-malware-internet-extend

    SENDER:
    Webmaster:
    BlueCollarPC.US
    Malware Removal / Amateur Forensics
    HOME http://bluecollarpc.us/
    Alternate https://sites.google.com/site/pcsecurityhelper/
    HELP http://tech.groups.yahoo.com/group/BlueCollarPCSecurity/
    Membership/Join List:
    Subscribe: BlueCollarPCSecurity-subscribe@yahoogroups.com
    Free Malware Removal Help / A Community Website Since 2005


Comments are closed.

%d bloggers like this: