Malware may knock thousands off line 7-9-2012

From Yahoo News

WASHINGTON (AP) — The warnings about the Internet problem have been splashed across Facebook and Google. Internet service providers have sent notices, and the FBI set up a special website.

But tens of thousands of Americans may still lose their Internet service Monday unless they do a quick check of their computers for malware that could have taken over their machines more than a year ago.

Mod Edit ,Title spelling repaired~~ boopme

This story is why I came here, because I don't trust it. I swear I read the same thing several months back, but I thought the shut down was happening in a different month/had happened already.

They give a link at the end of the story to the company the FBI brought in so that everyone can scan their computer, but what I don't understand is if this is actually picked up, or not, by regular software NOT connected to the government (or, not that I know of anyway) like MBAM, SAS, my antivirus, etc.

Does anyone know more about this?

To answer your question above, they are not doing a scan of the PC's themselves so to speak, they are actually looking up to see what DNS servers the machines are registering to. They have a complete list of the DNS server redirects as that is what the infected people are connecting to. They setup clean servers in order to have people that were infected with this DNS redirect retain the ability to get online. As a result they simply scan for what DNS servers people are trying to connect into, if it's on the list it will show-up as red. It's a fairly low tech way to do wide spread diagnostics. As for the timing, this was changed from a February date as the agencies did not think that the information was wide spread enough to the user public to prevent a large scale outage due to the problem. I can understand people's suspicion, but in this case it is fairly non-invasive as they are not looking for information that your computer does not report to every website you visit to some degree or another.

Awesome. Thank you for explaining the scan :D

There is a good article here
DNSChanger Malware Set to Knock Thousands Off Internet on Monday

Thousands of PCs worldwide may be unable to access the Internet beginning July 9 unless those machines are rid of the pernicious DNSChanger malware that first surfaced in 2007. The Federal Bureau of Investigation helped shut down the criminal ring responsible for DNSChanger in late 2011.

Click Here to see if you are OK

Protect Yourself From DNSChanger

Hi,

you're completely correct in saying "wasn't there something like this just months ago?". The take-down date for the servers was originally set to be the 8th of March. At the time it was estimated that 500.000 PCs were still infected and would be knocked offline and the FBI decided to keep the servers online for another 3 months. This time, they say, it's definite and they will take the servers online on monday.

As they currently estimate that 250.000 PCs are still infected, I think we will have to wait and see if the FBI really does cut them off or postpones once more.

regards myrti

Looks like PC Repair Shops like myself will be busy come Monday.

Hi all,

Correct me if I'm wrong, but:

I've read about this months ago, and honestly, I don't think it's anything we (in the community) should be worried about. The discrepancies will show up in the logs...and be fixed accordingly if there are problems.

As I remember it, this was a hosts file/security issue, correct? Can't remember now...

bloopie

Hi bloopie,

the issue was a bit bigger than that. It actually replaced the DNS servers both on the machine, and if it could, on the router with malicious ones that would redirect you to ad-sites.

The FBI seized the servers a while ago and has been offering "normal" DNS servers as a stand in since then. Now they will turn off those new DNS servers, that means that starting tomorrow anyone who is still infected or has some left-over of the infection on his machine, will no longer be able to resolve any given web-address. Only numerical IPs will work.
Add to this, that, if the router was infected, all devices on the network will be knocked offline and unreachable, this may cause quite a stirrup. However, since they likely won't be able to get online (except through their 3g phone maybe), this is not something we need to prepare for especially.

We should be aware of this, as it can save you a lot of trouble-shooting on a "broken internet connection" and we will likely get some panicky users, telling us their internet is kaputt. If the leftover are only in the routers, this will not show in the logs either. So some logical combinating may be necessary to reach the conclusion that the router is infected. However this is not an infection that is new and we know very well how to remove and fix it, if they come to us for help.

regards myrti