 sj |
||
|
||
Tech: A REAL Internet Shutdown - Malware
|
|
|
Subject: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 23 Feb 12 - 06:26 PM YOU COULD LOSE YOUR INTERNET CONNECTION ON 08 MARCH. Some time ago, a specific Trojan infection called DNSServer was found on many computers. This malware redirected Internet connections on infected machines to phony servers where the criminal operators used bogus ads to collect "pay per click" advertising revenues. Estimates are that the criminal ring collected about $14,000,000 by this fraud. When the ring was broken, operation of the phony servers was taken over by the FBI, under a court order, and since that time the Internet connections from infected machines have been re-redirected to appropriate real servers. The court order, however, only allowed the FBI to leave the servers online until 08 MARCH 2012. If the servers are shut down, those still infected will lose NEARLY ALL ABILITY TO CONNECT TO THE INTERNET. The original estimates were that "more than 500,000 computers in the US" were infected. Since there appear to be "about 450,000" infected computers still online, the FBI has asked the court for permission to continue operation of the servers "to allow more time for cleanups." Most Internet Security advisors are recommending that the shutdown proceed as scheduled. It appears that most infections were on "mainframe" systems at large corporations and government agencies (apparently including the FBI). Distribution of the Trojan appears to have been "International" in scope (but the FBI doesn't care about those elsewhere?) That makes it somewhat unlikely that individual users are likely to find this Trojan on their computers, unless they access a corporate/government network, or have traded files with someone who does. The latest update (that I've seen) is at: Feds ask judge to keep infected computers online Security experts disagree, argue clean-up deadline of March 8 should be kept By Matt Liebowitz, Security News, 23 Feb 2012 U.S. government officials have asked a federal judge in New York to extend a looming deadline that could knock as many as half a million computers infected with the 'DNSChanger' Trojan offline on March 8. The March deadline was set following last November's "Operation Ghost Click, " an FBI bust of an Estonian cybercrime gang responsible for infecting at least 500,000 computers in the U.S. with DNSChanger, a Trojan that netted the crooks $14 million by enabling them to reroute Web traffic to rigged sites and collect the advertising revenue. Determining whether YOUR COMPUTER might be infected is trivially simple. The above article includes a link to a (US) "test site" that displays a single icon with a RED background for infected machines, or with a different color if you're not infected. (If you're infected you'll be redirected and will go to the phony site that displays the RED background. (Don't worry, since if you're infected you've been going there a lot, and the FBI runs it now and you can trust them(?)). If not, you go to a real/normal site with the GREEN background.) Indications are that in the (probably rare) case you are infected, removal of this Trojan is NOT SIMPLE, but the article linked above gives some help on things to do. Additional removal help is also given in the earlier: FBI May Block Your Internet Access Beginning March 8 17 February 2012 Matt Liebowitz, SecurityNewsDaily Staff Writer In the last step of an international effort to break up an Estonian cybercrime ring, the FBI is planning to switch off bogus domain-name servers formerly controlled by the criminals on March 8, potentially disabling Web access for hundreds of thousands of users still infected by the criminals' malware. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,999 Date: 23 Feb 12 - 06:50 PM "Don't worry, since if you're infected you've been going there a lot" John, you should be writing stories laced with satire and understatement. I burst out laughing over that phrasing. Good one. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Don(Wyziwyg)T Date: 23 Feb 12 - 07:16 PM Green, thank God. Don T. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Leadfingers Date: 23 Feb 12 - 07:20 PM I show green too ! |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,999 Date: 23 Feb 12 - 07:32 PM There's a song for everything. BTW, John, thanks for starting this thread. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Jeri Date: 23 Feb 12 - 07:38 PM I thought the Internet was having issues yesterday. It went away, then I tried to call my ISP on my cell and THAT (cell service) went away. Called on the plug-in-the-wall phone and they couldn't help me so sent me to the local store 20 miles away. I got there, and they said "Oh yeah, nobody around here can get on. We think there's a tower down. We're waiting for [the other phone company] to crash." I briefly wondered if Anonymous had taken down the whole Internet (but how would we have known it was them?). I drove 20 miles back home and my Internet was back. It makes a person wonder what it would take for the whole interwebby thing to be completely embuggered. Scary. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 23 Feb 12 - 07:41 PM I dont' expect that many here will be affected, but if you get your connection shut off before you discover you've got a problem, it could be difficult (and maybe expensive) to get the info you need to solve the problem. It's trivial to check, and might avoid a real hassle. (And now you'll know how to explain what happened to all your buddies who didn't bother to chack.) k-1 of course you can trust the FBI. Just like I do. I've been considering another thread about trusting the IRS too. The NHS is getting a little "iffy," and I'm not real sure about the EEOC. And you do have to "filter" some of the stuff from the CPSC, but of course the NTSC are a bunch of really "straight up" guys. Fortunately, they're all "independent from politicians' influence." (I'll admit I'm a little distubed by some of the Pols.) John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,.gargoyle Date: 23 Feb 12 - 09:48 PM John - you are losing your audience.
Sincerely,
|
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,999 Date: 23 Feb 12 - 09:52 PM Dear Gargoyle, |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Rapparee Date: 23 Feb 12 - 10:18 PM The MSNBC article refers to "DNSChanger." Here's a link the AVG Labs article on it. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: scouse Date: 24 Feb 12 - 04:09 AM Green, it must be the Irish in me.. As Aye, Phil. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Newport Boy Date: 24 Feb 12 - 05:40 AM The AVG article is interesting: What is DNSChanger? DNSChanger is a Virus that is spreading. It is currently ranked 145 in the world for online threats. DNSChanger has been detected by AVG on victims' machines in 2 countries during the last month. There are currently 1 websites in 1 country that host DNSChanger. Looks like it just the FBI that host DNSChanger, and it's active in the US and one other country. I also see that it affects all versions of Windows OS - so I don't think I'll bother any more about it. Phil |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST Date: 25 Feb 12 - 02:26 AM A three week shutdown would be a blessingl. Some might even Discover printed Books, and Magazines Vev duh blumier. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 25 Feb 12 - 12:48 PM On a Separate Subject: From the same Security bunch who provided the news in the first post here, comes: New 'Flashback' trojan swipes Mac passwords Latest version injects malicious code into Web browsers, scans usernames and passwords By Matt Liebowitz Security News 2/24/2012 Mac users, consider yourself warned: A new version of an infamous and ever-changing Mac Trojan has again been spotted, this time deploying three attack methods in an attempt to harvest your passwords, steal your money and generally terrorize your computer. The original Apple-specific Trojan, "Flashback," has been around for months; past versions of the malware have disabled anti-virus software or infected computers by hiding in phony Adobe Flash Player installers. This new variant is a stronger, more robust beast, and the stakes are higher for those who fall victim to it. Currently spreading in the wild, the new Flashback.G variant attempts first to exploit two separate Java vulnerabilities, most often in Macs running OS X 10.6 (Snow Leopard), the security firm Intego explained. You can block this route of entry by keeping your Java software up to date. But Flashback is a resilient fighter, and if it's thwarted here, it then attempts a third method of attack, forcing a pop-up applet to appear that claims to be a "self-signed root certificate" from Apple. The certificate asks, "Do you want content signed by 'Apple Inc.' to have access to your computer?" It looks legitimate, but clicking "continue" grants the Trojan access to your system, and then the real trouble kicks in. Not only does Flashback inject malicious code into Web browsers and cause them to crash, it automatically scans victims' computers for usernames and passwords to sites like PayPal, where saved passwords may lead to stored financial information. "Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit — such as for a bank website — as well as others that may be reused on different sites. (Hint: don't use the same password for all websites!)," Intego wrote. To stay safe from the Flashback Trojan, which Intego calls "particularly insidious," it's crucial to keep all your software up to date, and to make sure you're running strong anti-virus software on your system. Just because you're using a Mac doesn't mean you are impervious to malware and computer virus attacks. ... © 2012 SecurityNewsDaily. Links to some suggestions and other Mac-specific news are also included at the link. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 03 Mar 12 - 10:04 PM Curiously, there have been no further reports (that I've seen) about whether the March 8 shutdown of the FBI operated servers will be allowed to continue. It should be noted that the servers operated by the FBI do not spread the malware. They only provide a means by which persons already infected may continue to access the internet so that they can have a chance to get rid of it. It should also be noted that the malware in this case only needs to fake a URL, and affects browsers rather than Operating Systems, so the assumption that "Macs are invulnerable" is probably NOT JUSTIFIED. *********** In a somewhat similar case, a recent US court decision stated that warrants are required to install GPS tracking devices on someone's vehicle, so the FBI was forced to turn off tracking of some 3,000 GPS devices. Since without tracking of the devices the FBI can't find them to remove them, they've also petitioned for permission to turn the tracking back on so that they can get their toys back. As with the above, no news on whether the court has responded to allow them to retrieve those toys. ************ On a somewhat different subject, Symantec has reported that an unknown "someone" has hacked the hacking program widely used by the "Anonymous Group" so that very large numbers of people who downloaded the program that allows their computers to participate in DDoS attacks by Anonymous may now be infected with a separate trojan that's busy sending all their own personal information to some unknown malware site. News Report Here. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 26 Apr 12 - 07:54 PM The DNSChanger malware that was the original subject for this thread is apparently still active, and some slightly modified instructions for checkout have appeared. The FBI received court approval to continue operating their redirect-redirecting phony websites for those who hadn't removed the malware. This apparently applied (and may still apply) to fairly large numbers of computers. The NEW DATE on which the FBI servers will shut down is July 09, 2012. Anyone still infected by this malware after that date will have NO INTERNET CONTACT. The original instruction to visit this FBI-backed website, DNS-OK, is still good. If you see a RED background there, it definietely means you ARE infected. If you see a GREEN background, you probably are not infected. It has been determined that if you ISP is redirecting DNS requests, you may see the green at that site while your computer still is infected, so a second check is recommended. If you see RED at the FBI site you know you need to fix it. If you see GREEN at the FBI site above you still are advised to go to this site, run by the DNS Changer Working Group. The DNS Changer Working Group will direct you to a URL appropriate to your language and location, that will detect more specifically whether your computer has been "violated," and if so, will point you to the right fix for your computer. (Not that if you saw the GREEN when this thread started, it still might be a good idea to click to the second site now just to be sure, since that's based on newer information.) This information is from July 9 could be 'Internet doomsday' for some (so check your PC or Mac), posted a few hours ago. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: katlaughing Date: 26 Apr 12 - 08:23 PM Thanks, John. I missed this the first time round. Fortunately, mine checked out green at both links. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST Date: 26 Apr 12 - 08:53 PM As Chicken Little once said, "The sky is falling!" |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,.gargoyle Date: 26 Apr 12 - 10:42 PM What a curious cozy of cats. Reflect upon the "Casandra Syndrom " Smithsonian Magazine April 2012..."story of Ri hard Clark " by Ron Rosenbaum...pp12 -17. Move to a more secure multi based isp...if you fear loss of mudcat for your time...Max is OK. Sincerely, Gargoyle http://whatreallyhappened.com/ |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Stilly River Sage Date: 26 Apr 12 - 10:52 PM Garg, it's likely to hit a lot more people in other countries than here in the US. Do you suppose those nations are sitting up and taking notice, or will their residents one day be offline and each have to call in a techie neighbor who will help them work on their computers? SRS |
|
Subject: BS: Please Remove if Already Posted From: Beer Date: 27 Apr 12 - 03:16 PM The below text just came to me as an e-mail and I believe it is worthy of a post. If someone has mentioned it before than maybe some one can remove it. The Virus That Really Will Kill Your PC July 9 Analysis by Rob Pegoraro (Discovery.com) Thu Apr 26, 2012 04:22 PM ET DNSChanger check : www.dns-ok.us It sounds like one of those annoying chain emails that show up from technically challenged acquaintances: "The FBI Will Take Your Computer Offline July 9 If It Has A Virus! Visit This Site Immediately To Check!! Forward This To Everyone You Know!!!" But the Federal Bureau of Investigation really has posted a warning on its site about the risk of "DNSChanger" malware, which really will result in your computer getting disconnected from the Web on July 9 if you don't clean it up. The story began last November when the bureau announced it had busted a 4-year-old Estonia-based conspiracy. The suspects had infected about 4 million computers -- some 500,000 in the United States -- with malware called DNSChanger (also referred to as Alureon) that diverted victims to scam sites. This "rootkit" malware was usually delivered as a fake download for Windows or Mac OS X that then silently altered the Domain Name System settings on computers and even some wireless routers. That's about the most serious compromise an Internet-connected machine can suffer; when DNS stops correctly translating domain names like discovery.com to machine-readable Internet Protocol addresses like 63.240.215.85, you no longer know what sites you're dealing with. But once an infected machine has been cuffed to DNSChanger's rogue servers, shutting it off would effectively unplug it from the Internet. To give unaware victims time to clean up their systems, the FBI secured a court order requiring the Internet Systems Consortium, a nonprofit Net-architecture firm, to take over and sanitize those servers. But all bad things must end; after one stay of execution, ISC is now set to turn off the DNSChanger servers on July 9. At that point, any infected machine will only be able to connect to numerical IP addresses, essentially, a rotary-dial version of the Internet. Early advice on checking for a DNSChanger infection required a fair degree of technical skill, but now you just need to be able to read one line of text or know the difference between green and red. Visit www.dns-ok.us ; if you see a green background to the image on that page and the words "DNS Resolution = GREEN," you're safe. (Your Internet provider may also offer a similar service. Comcast subscribers, for example, can check their computers at amibotted.comcast.net.) If you see otherwise, you have a month and change to fix the problem. Since DNSChanger can disable security programs, you may not be able to do this the easy way, by clicking a "scan" button in your anti-virus app. You can try specialized DNSChanger-removal tools from such firms as SecureMac, or run general-purpose anti-rootkit software like MalwareBytes' Anti-Malware or Kaspersky Labs' TDSSKiller. The DNS Changer Working Group, created by Internet-security experts to help clean up the problem, has also set up a page with links to manual malware-cleanup instructions from Microsoft and others. In a worst-case scenario, you may need to reinstall your computer's operating system and software from scratch, using either the disks that came with the computer or the recovery partition on its hard drive. But that still beats having a computer that can only navigate the Internet by numbers. So if you have friends or family members online who might not know to check for this problem, please forward this post to them. But hold the exclamation points. Credit: Rob Pegoraro/Discovery http://news.discovery.com/tech/dns-changer-fbi-warning-july-9-doomsday-120426.html I checked and mine is green. Adrien |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 27 Apr 12 - 05:58 PM Beer - (and others) Note the comment in my last post, that reports that if your ISP does its own DNS routing the FBI site - the one most people have been sent to - may give you a green indication even if your machine is infected. The second link there is to the DNS Consortium where you get a more specific test of your own machine (excluding the effect of what your ISP does) that you might also want to run. Neither check takes more than a few seconds. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Beer Date: 27 Apr 12 - 06:06 PM Thank you John. I ran the test. Ad. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Richard Bridge Date: 27 Apr 12 - 06:44 PM Been and green |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: Bonnie Shaljean Date: 27 Apr 12 - 06:54 PM Sorry for the bonehead question John, but this is too important to get wrong: the only links I can find all seem to take me to the same http://www.dns-ok.us/ site, and every one I run the check on takes me to that same (thankfully) green circle with the little people icons in front of it. Is this the correct second test you spoke of? I want to make sure I am getting through to the right confirmation-for-sure site in all that welter of information. Can you or someone please post a clickie for it? Thanks |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 27 Apr 12 - 08:51 PM The test result is the same for both sites. According to the article linked at the bottom of my post 26 Apr 12 - 07:54 PM, "information from ..." says that the original FBI link may miss an infected machine if the ISP it's using "makes the correction." This likely means that you'd still be able to get to the internet after the FBI servers shut down, as long as you use that ISP, but if - for example - you take your laptop to Barnes and use their WiFi connection you might be shut out. The alternate link there takes you to the DNS Consortium website, where they show you a list of servers so you can pick one appropriate for your location and language. The implication is that any of those sites forward you to the one that shows whether you're infected, overriding any "correction" made by your ISP, so that it tells you if your machine has the malware on it even if your ISP is compensating for where your machine says to go. The test apparently just "forwards" you to either of the two FBI sites. If the malware is on your machine, it causes you to be sent to the site with the RED display. If the malware isn't on your machine, you follow the link to the other site that displays the GREEN. The FBI claims that they figured out how to change the malware on all infected machines so that the infection redirects users to their "replacement" for the original malicious sites, from which they forwarded you to where you really wanted to go. This is why an infected machine could still browse "normally," as long as the FBI "forwarding" sites are on line. Some providers have provided a similar redirect of the malware's redirect, so that the request for a connection goes to where you asked it to, instead of to the FBI forwarding service. The "simple" test at the FBI might miss those, since to the FBI site it looks like the connection wasn't redirected. The Consortium site apparently "connects" you to a test site with the connection based on a request directly from your machine (probably from the page that's loaded on your machine when you go to the site), so that it doesn't get a chance to be modified by your ISP. The "test result" sites you see probably are the same ones, but it's "how you got there" that makes the difference in how accurate the check for local infection of your own computer is. The two links in the 26 Apr 12 - 07:54 PM post should be good. They do the same test, but on "slightly differently acquired specimens." hypothetically ... ... (?). John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 06 Jul 12 - 01:13 AM ONE LAST(?) TIME: A Final Warning By now, it is expected that everyone here has checked to see if they might be infected with the DNSChanger malware. The FBI substitute sites will shut down at midnight, Monday, July 9 (US Eastern Time) or around 05:00(?) am Greenwich/Universal time. The current estimate is that approximately 270,000 computers will lose all contact with the Internet at that time. This includes an estimated 70,000 computers in the US. This includes computers at approximately 50 "Fortune 500" corporations that are still infected. The DNSChanger malware also disables at least some parts of most AntiMalware (AntiVirus) programs so you can't rely on them to remove it. IF YOU NEED TO clean up while you still have Internet connection, several sites can download/repair AV software. If you lose Internet Access, you will not be able to use that method. IF you can't connect after the shutdown, your only recourse will probably be to call your ISP (Internet Service Provider). So where do you get their phone number? - Of course, from their website.(Wanna bet on it???????) Sites you connnect with can tell if you've been "redirected" and in a stroke of genius, Facebook has been posting notices that "Your computer appears to be infected with malware. Click here." Since the same notice is currently THE NUMBER ONE SCAM on the 'net, nobody with a functioning brain cell should click any message of this kind, and it should be expected that the malware distributors have already replicated the FB message, so you might get one that looks exactly like the "real" Facebook one from malicious sources. Or you might get lucky??? Google has also been notiying infected users who connect to the Google site, but their message has not been described (that I've seen) and it's unclear whether they only notify those who connect to the Google home site, or if it also applies to users of Google search. Any of us here (at least those who look at Tech threads) should have little reason to be concerned, althouth there's a slight possibility someone could have been infected from one of the 270,000 dummies who haven't gotten the message. If you would like to check "one last time" the link given by trustworthy sources is http://www.dcwg.org. This site gives you a list of satellite sites that can run the check for you if you click on the "Detect" button. (Although the site addresses in the table don't display as links in my browser, they will take you to the correct test for your locale.) John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: MikeL2 Date: 06 Jul 12 - 06:42 AM hi John Thanks for the heads up......I checked and I'm Green. Thanks again. Cheers MikeL2 |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 09 Jul 12 - 07:39 PM The FBI servers were, if they were on schedule, shut down early this morning (Monday in the US). Multiple headlines have appeared on several news sites, reporting that there was little impact, apparently based on the reports from Internet Service Providers (ISPs) that they've seen very few posts by those who no longer have access to the internet and have received only a few emails asking for assistance. DUH! (?) If anyone of our own community have completely lost their internet connection, they are welcome to post here and we'll surely try to help. Or not. John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: terrier Date: 10 Jul 12 - 04:15 AM er.. am I still here or have I been redirected?? |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: GUEST,Tootler Date: 10 Jul 12 - 04:15 AM It was on the news here in the UK last night. They reckoned about 300 000 computers would be affected by the shut down. |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 10 Jul 12 - 08:41 PM The number of infected computers was estimated at 270,000 by "FBI sources" just prior to the shutdown. A fair number of those may not be seriously affected because several ISPs have added "redirector redirections" to their own services. In most cases, the first connection is to your ISP, and they can detect that your "destination" has been redirected and can "unredirect" it. The result is that some who are still infected may still be able to get connected, if they happen to use one of the ISPs that's provided for it. (Certain elements of society seem determined to "protect" John |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: frogprince Date: 11 Jul 12 - 03:22 PM "If anyone of our own community have completely lost their internet connection, they are welcome to post here" uh..John? |
|
Subject: RE: Tech: A REAL Internet Shutdown - Malware From: JohnInKansas Date: 12 Jul 12 - 12:36 AM About as sensible as the ISPs saying "few people were impacted" because nobody has posted a complaint to them, ain't it? Or the "advisors" who said (before the disconnect) "if you find you don't have internet access, call your ISP." Do YOU KNOW the phone number for your ISP? Ok, where do you find it? - - at their website on the internet, of course. John |
| Share Thread: |