Internet Storm Center panel tonight at SANSFIRE 2012!
Last Updated: 2012-07-09 21:40:17 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
If you are at Washington DC enjoying SANSFIRE 2012, don't forget that the Internet Storm Center State of the Internet Panel discussion is tonight at 7:15 PM in the Hilton Washington International Ballroom Center. See you all there!
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org
The FBI will turn off the Internet on Monday (or not)
On Monday, the DNS Changer Working group will discontinue providing DNS service to hosts infected with the DNS changer virus. This new item led to a flood of news reports, which IMHO blow the entire affair out of proportion (the headline to this diary entry pretty much reflects a discussion I had today with a non technical person responding to one of these articles). Reading this article, it is likely that you will be one of the people being asked for advice as "how to protect yourself" from this virus. I find it useful to stick to these talking points:
The DNS Changer malware was spreading last year and changed DNS settings in computers it infected. After arresting the group behind this malware, the FBI, as permitted by a court order, worked with ISPs and the DNS Changer Working Group to continue to operate the DNS server that the infected systems pointed to. The hope was to identify and notify as many infected systems as possible. As expected, over the last few months, these efforts had diminishing results. The court order permitting the DNS server is about to expire and as a result, this stand in DNS server will not continue to operate.
If your system is still configured to use the bad DNS server, you will not be able to resolve host names. Even if you removed the malware, it is still possible that you didn't revert the DNS settings change.
For Windows users, this may actually not matter. According to some reports, Windows may actually revert to the default settings once the DNS server is turned off. If you used the bad DNS server, chances are that various entities tried to notify you. Google for example should have shown you a banner. If you don't see a warning banner when visiting Google, you are not one of the systems identified as infected.
Some ISPs setup their own DNS servers for DNS Changer victims. These DNS servers will remain active for now.
This malware is also old enough where Antivirus, if you run any, should have signatures for it.
In short: Don't worry. There are estimates of 250,000 infected systems based on data from the DNS changer working group. There are about 2,000,000,000 internet users. So about 0.01% of internet users are infected. In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet.
In a few cases routers may be affected by the change, and the router will use the wrong DNS server. Again: if you are connected to one of these routers, you should have seen warning banners. If you haven't seen warning banners at Google: Don't worry.
Lastly: Tell people to go to dcwg.org (short for DNS Changer Working Group.org). It has a little test to tell you if you are affected or not. It also got a lot of first hand information about this malware.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago