DNSChanger is not the end of the world

[Kathleen Atkins]

TOP STORY DNSChanger is not the end of the world By Woody Leonhard DNSChanger virus spells 'Internet Doomsday' … The end is nigh, according to the FBI … 'Internet doomsday' will strike us all on July 9 … That's what a couple of popular websites had to say about the DNSChanger virus. What a crock! The full text of this column is posted at WindowsSecrets.com/top-story/dnschanger-is-not-the-end-of-the-world/ (opens in a new window/tab). Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

[nlinecomputers]

I have seen several articles on the internet, including this one, that praise the FBI for the altruistic act of providing replacement DNS severs for the bogus hijacked ones run by the DNSchanger botnet.

As a IT professional I really have no qualms about terminating service for people who's computers are infected. By not doing so and allowing the replacement servers to continue to run for months, millions of infected computers with NO antivirus protection were allowed to continue to surf the net unaware of problems and thus unprotected. What other botnets could use this as a breeding ground? Terminating their service would prompt them to seek professional help, not doing so lets compromised pcs continue to run unprotected. Which is harmful to everyone.

Since when is law enforcement obligated to provided replacement services that have been disrupted by criminals? They never have before so why are they now? By running a DNS server the FBI, like ANYONE that runs a DNS server, can track who is accessing it and what websites are being requested. (Yes boys and girls, your ISP, OpenDNS, or Google can track you!) I wonder if that is not the real goal. Why should being the unfortunate victim of a virus place your 4th amendment rights to privacy at risk. To me THAT is the real story here and no one seems to be interested in it.

[MarRDav]

Woody Leonhard's article was a great relief to me. However it left one question:
According to the doomsayers, DNSChanger not only messes with one's XP OS, but also messes with your router.
Does dcwg.org test the latter as well as the former?

[Webweweave]

When one does the test page, a note appears, " Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected." That seems to be the end of the line as far as information is concerned. Admittedly, I have not tried to talk to my ISP (almost always a disappointing and frustrating experience). So, what's to be done?

[i317952]

This week Woody referenced Windows Defender Offline and Kathleen referenced MSE 4.0. Do you know if there is a direct relationship between MSE and WDO in the sense that the new MSE 4.0 implies there may be an updated WDO to grab too?

[NevCoDownNI]

Thanks for the info Woody,
I'm green thankfully, even a complete novice like myself could use the links provided and check, keep up the good work,
Cheers friend
Nev.

[ron1]

I'm not sophisticated enough to divine all the implications of DNS hijacking.

But when I tried http://www.dns-ok.us/ there was no signature on the website so I wonder what the test actually proved?

[FibleFarfer42]

Woody,

TDSS is a bear indeed, but I'm not so sure about painting the infected machines (and their users) with the broad brush of video codecs from adult web sites distribution model.

I encountered this virus at initial distribution prior to the AV makers rolling out updates for it. It was very widely distributed for at least a few months via well-disguised malicious email which appeared legitimate and appeared to be from known-good sources, e.g., faked American Airlines email with a spoofed aa.com return and header routing, to good email addresses harvested from who-knows-where, in attached .zip files where the AV software failed to scan inside the archives. Once loaded, this nasty also "called around" and invited many others nasties to the parties it was throwing on users' machines, resulting in some very difficult and lengthy cleaning operations. It was also very frightening to users who suddenly found their Windows' desktops without any icons, their Start menus changed, and the browser behavior altered not only in IE, but also Chrome, and others.

The idea of machines being infected "Typically ... by posing as a codec needed for ... adult sites" as the predominant distribution method could have some seriously ill effects on very innocent victims who did not knowingly violate any policies whatsoever, and never visited any such sites. Litterally, their only "crime" was having an email address, including corporate email addresses, that got harvested from some unknown source at some unknown time.

[Dennis S]

The DCWG test page worked easy. Thanks for article. I checked and was OK.
Dennis S

[BruceR]

The idea of machines being infected "Typically ... by posing as a codec needed for ... adult sites" as the predominant distribution method could have some seriously ill effects on very innocent victims who did not knowingly violate any policies whatsoever, and never visited any such sites.

Yes. Who defines "Typically"?

Although about a different trojan, this story indicates that it doesn't make sense to assume that infections only or mostly stem from attempting to access dubious sites or content:

The Amnesty International incident is the latest reminder that users can be infected even when they visit websites they trust and frequent often. It challenges the myth that as long as people steer clear of sites offering porn, pirated movies and software, and other unsavory content, they aren't susceptible to attacks that surreptitiously install malware on their systems.
Amnesty International malware attack: when bad things happen on good sites

Bruce