blog trackingRealtime Web Statistics DNSChanger Archives | Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘DNSChanger’

Google gives search users final DNSChanger warning

Google has embarked on a final campaign to warn the remaining half million PCs it reckons could still be infected with the DNSChanger malware that they risk losing Internet connectivity on 9 July. View full post on security

View full post on National Cyber Security

How to protect yourself from DNSChanger

In July the Internet Systems Consortium will permanently shut down DNS servers deployed to serve as temporary surrogates for rogue DNS servers shut down as part of Operation Ghost Click, an FBI operation that brought down an Estonian hacker ring last year. If your PC is one of the more …

View full post on National Cyber Security » Computer Hacking

CloudFlare and OpenDNS Join Forces to Help Internet Users Affected by DNSChanger Malware

SAN FRANCISCO, CA– — CloudFlare and OpenDNS today announce they are joining forces to aid more than a half-million Internet users still connecting to the DNS servers formerly used by a malicious malware …
View full …

View full post on National Cyber Security » Virus/Malware/Worms

DNSChanger malware victims may face internet switch off: ACMA

The Australian Communications and Media Authority (ACMA) has urged Australian internet users who may be DNSChanger victims to remove the malware from their computers before 9 July or face no internet service when domain name system (DNS) servers maintained by the FBI are switched off.

The ACMA e-security operations manager, Bruce Matthews, told Computerworld Australia that up to 10,000 Australians have devices which are infected with the malware.

According to Matthews, DNSChanger re-routes the affected person’s traffic through rogue DNS servers without their knowledge. The malware has been associated with click fraud whereby an unsuspecting user will be redirected from a legitimate website they are browsing to a malicious website.

The six cyber criminals behind the DNSChanger malware were arrested in November 2011 but the Federal Bureau of Investigation (FBI) took control of the rogue DNS servers and replaced them with legitimate servers.

“While the problems associated with DNSChanger have largely been removed, if you don’t take action to remove the malware and restore correct DNS settings you won’t be able to connect to the internet after 9 July when the servers which are currently being maintained under a court order from the FBI are turned off,” Matthews said.

The ACMA, CERT Australia and the Department of Broadband, Communications and the Digital Economy have developed a diagnostic website that will tell users if they have been affected with DNSChanger.

“Given there are a range of variants in the infection, we recommend that once someone has run the tool they go back to the website to test if they are still infected and try another tool,” Matthews said.

He added that ACMA was working with internet service providers to help inform their customers that may be infected with the DNSChanger malware so that most of the infected internet users will have got rid of the malware by 9 July.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware

View full post on Tenable Network Security

View full post on National Cyber Security

DNSChanger Trojan Still Needs to be Cleaned from Fortune 500 and US Government Systems (February 3 & 6, 2012)

Half of Fortune 500 companies and nearly half of all US federal government agencies still have the DNSChanger Trojan on their networks, according to researchers…….

View full post on SANS NewsBites

View full post on National Cyber Security

Germany to shut down DNSChanger Trojan servers

German authorities are advising victims of DNSChanger Trojan programs to fix their computers’ Domain Name System settings using a free tool developed by antivirus company Avira, because the servers resolving DNS queries on their behalf will be closed down on March 8.

DNSChanger is a family of Trojans for Windows and Mac OS X whose primary function is to replace the DNS servers defined on the victim’s computer with rogue ones operated by the malware’s authors.

The DNS is a vital part of the Internet infrastructure and is used to resolve domain names into numerical IP addresses. By controlling DNS responses, the DNSChanger gang was able to redirect victims to rogue websites that distributed fraudulent software or displayed money-generating advertisements.

The DNSChanger operation was shut down by the US Federal Bureau of Investigation in November last year following a two year long investigation. The authorities estimated the number of computers infected with this type of Trojan at 500,000 in the US and over four million worldwide.

The FBI worked with ISPs where the DNSChanger gang hosted its rogue DNS resolvers in order to temporarily convert them into legitimate servers. This decision was taken in order to provide victims with sufficient time to clean their computers without disrupting their Internet access.

On January 11, the German Federal Office for Information Security (BSI) announced that the temporary DNS resolvers put in place to service DNSChanger victims will be permanently shut down on March 8. The government agency worked with antivirus firm Avira to provide affected users with a tool that automatically resets their DNS settings to their default values.

“If your computer was infected at some point in time and it was using one of the DNS servers which are now controlled by FBI, after March 8, it will no longer be able to make any DNS requests through these servers,” explained Avira product manager and data security expert Sorin Mustaca. “In layman’s terms, you will no longer be able to browse the web, read emails and do everything you usually do on Internet.”

The Avira DNS Repair Tool is distributed for free from the company’s website, as well as, a website operated by German authorities that can be used to determine if a computer is using one of the temporary DNS servers.

The downside of the tool is that it only works on Windows, and doesn’t actually remove the Trojan. Users should first clean their computers with an antivirus program and then use Avira’s tool to repair their DNS settings.

“Only the [network] adapters which are detected as manipulated will be changed,” Mustaca said. “All others which don’t have any signs of being altered by the malware will be left untouched.”

Since the tool configures network adapters to automatically detect DNS settings via DHCP, it might not work for all network setups. If using the tool doesn’t solve the problem, users should call their ISP and ask what their recommended DNS settings are.

Article source:

View full post on National Cyber Security » Computer Hacking

FBI tackles DNSChanger malware scam

If you’ve been familiar with the malware scene over the past few years, you know one of the prominent attacks on personal computers and information has been the DNSChanger scam.

DNSChanger is a Trojan horse that was distributed in many forms, and when installed it actively changes the infected system’s DNS settings to rogue servers that redirect legitimate searches and URLs to malicious Web sites that attempt to steal personal information and generate illegitimate ad revenue for the scammers.

The DNSChanger malware was first discovered around 2007, and since this time has infected millions of computers, around 500,000 of them being in the U.S., and through these computers the criminals have reportedly pulled in around $14 million in stolen funds. This success spurred the criminals to branch out from targeting Windows PCs to other platforms that include the Mac OS and also networking hardware such as routers, so entire networks could be scammed.

Mac variants of the malware, found starting in 2008, were known as OSX.RSPlug.A, OSX/Puper, and OSX/Jahlav-C. These have been distributed through pornographic Web sites disguised as required video codecs for QuickTime, and as with the Windows versions, when installed the Trojan would change the system’s DNS settings to servers that would redirect legitimate Web URLs to malicious sites.

To combat this threat, a number of malware detection tools were quickly developed to specifically target and remove the DNSChanger malware, and most antivirus utilities have proper definitions for detecting and removing it, but the threats have still been out there and affecting systems where they could.

Recently the FBI put a major dent in the DNSChanger operation with Operation Ghost Click, which recently ended in the arrest of six Estonian nationals who are accused of being integral in running the fraud ring. Along with the arrests, a number of computer systems were seized that the FBI says were being used as rogue DNS servers, but instead of just being shut down they were replaced with legitimate servers.

This action means that many of the millions of computers that are still currently infected with the DNSChanger malware should now be receiving healthy DNS server activity even if the DNS server IP addresses on their systems are changed by the malware.

This is definitely a helpful step in the right direction for unsuspecting individuals who may be affected; however, it is not a guarantee of safety for affected systems, especially since the malware and its variants could still be running on the systems.

Besides running antimalware utilities to detect and remove the DNSChanger malware, computer owners can manually check the DNS settings on their systems to see if they are affected. This is perhaps the best option since even if there is no malware on a specific computer, a compromised router will give rogue DNS information to all systems that connect to it.

To check your DNS servers, you will need to manually enter their information in the FBI’s DNS-checking Web site, which will issue you a warning if the server is a compromised one. To do this in OS X, follow these directions:

The DNS servers in OS X are listed here in the Network system preferences.

Screenshot by Topher Kessler)

  1. Open the Network system preferences.
  2. Select your network connection (the active one will be at the top of the list).
  3. Click the “Advanced” button, and in the new window click the “DNS” tab.
  4. Note the DNS Server IP addresses in the list on the left (some may be grayed out).

Compare the DNS servers’ IP addresses to the following FBI-provided list of rogue DNS servers (PDF). If they fall in any of these ranges, then your system may be using one of the rogue DNS servers. through through through through through through

An easier method for checking the IP addresses is to enter them one at a time in the FBI’s Rogue DNS Checker Web site, which will inform you whether or not the IP address is valid.

Repeat this check for every network connection option in OS X (including AirPort, Ethernet, and others like FireWire), since the DNS configuration for each is separate. If the server IP addresses in the DNS list are grayed out and cannot be edited, this means the servers are configured in your router and can be modified by going to your router’s settings (usually done through a Web interface).

Do keep in mind that the DNSChanger malware is from around 2008 and is not anything new, but this latest news is a good reminder to check and be sure your system’s network settings are as they should be. In addition to checking your network settings, you can check for the malware with most updated malware scanners or by downloading and running the DNSChanger Trojan removal tool from Because the malware has been around for a long time and has not changed much for OS X systems, most reputable malware scanners should easily detect it.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Operation Ghost Clicks Nabs DNSChanger Malware Ring

SymbolPriceChangeAAPL395.28-10.95AMZN211.22-6.77DELL14.80-0.79GOOG600.95-11.39MSFT26.20-0.96{“s” : “aapl,amzn,dell,goog,msft”,”k” : “a00,a50,b00,b60,c10,g00,h00,l10,p20,t10,v00″,”o” : “”,”j” : “”}

As a result of a two-year FBI Investigation: Operation Ghost Click, on November 8, 2011, six Estonian nationals were arrested by Estonian authorities and charged in a seven-count federal Indictment with running an Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses. The defendants are awaiting extradition to the United States.

The counts in the Indictment include:

  1. Wire Fraud Conspiracy
  2. Computer Intrusion Conspiracy
  3. Wire Fraud
  4. Computer Intrusion (furthering fraud)
  5. Computer Intrusion (transmitting information)
  6. Money Laundering
  7. Engaging in Monetary Transactions of Value Over $10,000 Involving Fraud Proceeds

NOTE: The charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

SIDE BAR: The presently named Estonian defendants are:

A seventh named defendant ANDREY TAAME, 31, a Russian national, remains at large.

DNSChanger — Be scared, be very scared!

The Indictment alleges that beginning in 2007, the cyber ring used DNSChangermalware to infect approximately 4 million computers in more than 100 countries, causing about 500,000 infections in the U.S.

SIDE BAR: DNSChanger redirected unsuspecting users to rogue servers controlled by the defendants, allowing them to manipulate users’ web activity.

For example, if a compromised users clicked on a link for the official website of iTunes, they were unknowningly redirected to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software. This altered click path generated money for the defendants and also deprived legitimate website operators and advertisers of the diverted traffic and its attendant substantial revenue.

Learn more about DNSChanger Malware at this FBI LINK

The defendants were charged with manipulating Internet advertising in order to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, which exposed those attacked machines to other malware.

Mitigation Plan

As part of the operation, the FBI announced that a mitigation plan commenced on November 9, 2011, whereby rogue DNS servers were being replaced with clean DNS servers. Although this step does not eradicate the malware or other viruses, it avoids taking millions of victims offline and buys time for Internet Service Providers to put in place necessary changes.

If you are a victim of this DNS Malware attack, you can register HERE with the FBI

To verify your computer’s DNS settings, use this TEST

Free Trial Issue of Forbes Magazine! Click here.

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Gergory Evans

My Twitter

  • RT @GregoryDEvans: #galaxylife #samsung4life LGBT Students Bullied at Higher Rates Than Their Peers, Poll Finds – Rules for Engage... https…
    about 4 hours ago
  • @gobias_infosec @GregoryDEvans @mubix oh, THAT guy.
    about 4 hours ago
  • RT @GregoryDEvans: Photos released in search for credit card fraud suspect #security #hacker #HTCS
    about 6 hours ago
  • RT @GregoryDEvans: ESSA Clears Out Underbrush on School Improvement Path – Education Week
    about 7 hours ago
  • @GregoryDEvans @mubix @Hak5 Your website literally has links to Hak5 content with the caption 'Produced by Gregory Evans'.
    about 8 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans