Results 1 to 5 of 5

Thread: DNS Changer Rootkit

  1. #1
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,923
    Thanks
    576
    Thanked 934 Times in 755 Posts

    DNS Changer Rootkit

    If the internet goes dark on March 8th then chances are you have a rootkit infection known as DNS Changer. It originally rerouted your internet connection via a botnet system in Estonia. It also prevents security updates for antivirus applications and Windows OS. The malicious servers have been taken off-line and substituted by the FBI but your internet connection will fail March 8th onwards if you have the infection.

    It's a very small neat script that makes use of known security holes and effects several registry changes on a Windows PC. Linux users are immune. It started out as a scam to redirect internet users to malicious websites but now the servers have been substituted by the FBI it's just a general infection/security issue. There's a fairly extensive infection footprint and I came across the little critter the other day on somebody elses network. In most cases the user will be unaware of the infection until the substitute servers are pulled in a couple of weeks. Cleaning an infected PC is tricky but possible. For most victims a reinstall is the easiest way to go.

    Happy surfing!!


    http://www.pcworld.com/article/25029...html#tk.hp_pop

    http://www.infosecurity-magazine.com...o-its-victims/
    _______________________________________________

    _______________________________________________

  2. Thanks given for this post:

    Dave A (26-Feb-12)

  3. #2
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    22,649
    Thanks
    3,305
    Thanked 2,676 Times in 2,257 Posts
    Blog Entries
    12
    Thanks for the heads-up, Andy.

    Afterthought: I wonder if those FBI good samaritans have been taking a peek at the data that's been going through those servers

    Nah - they wouldn't do something like that, would they

  4. #3
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,923
    Thanks
    576
    Thanked 934 Times in 755 Posts
    Yeah, the ever-benevolent FBI . There's been some discussions about that very topic for the last month on another forum I belong to. The reason they got involved originally was because of a very high infection rate in US Gov networks and many big US businesses. There's a few interesting theories on where the core script originated before it was packaged and set free as well.

    For anyone who wants to check their PC there's a link in one of the articles or just go here using google translate unless your Flemish/French is up to scratch.
    _______________________________________________

    _______________________________________________

  5. #4
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    22,649
    Thanks
    3,305
    Thanked 2,676 Times in 2,257 Posts
    Blog Entries
    12
    I had another thought later too.

    Instead of just killing the servers, why not insert a message that your pc had been compromised so that folk had a proper heads up that they are affected. But then it struck me, if you got a notice pop up on your computer screen saying something along the lines of:

    Official notice from the United States of America Federal Bureau of Investigation.

    You are receiving this message because your computer has been compromised with a DNS Changer rootkit.
    The FBI, as part of operations against the syndicate involved, have taken over operation of the servers so that you may continue to have access to the internet.
    This service shall discontinue on 8th March 2012, at which time you may experience difficulty accessing the internet.

    For more information on this threat and how to remove this malicious program click here.
    To continue to the page you were going to click here
    Would you believe it?
    Would you click a link on that page?

    What would most people do?

  6. #5
    Diamond Member Justloadit's Avatar
    Join Date
    Nov 2010
    Location
    Johannesburg
    Posts
    3,480
    Thanks
    134
    Thanked 695 Times in 593 Posts
    Blog Entries
    1
    Could there be a 911 again, because of the misinterpretation of the message?
    Victor - Knowledge is a blessing or a curse, your current circumstances make you decide!
    Solar pumping, Solar Geyser & Solar Security lighting solutions - www.microsolve.co.za

Did you like this article? Share it with your favourite social network.

Did you like this article? Share it with your favourite social network.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •