I work for a small college -- we actually got a couple letters from the FBI alerting us that somebody on our network was infected by this. We then had to some internal sleuthing to hunt down who was participating, and more importantly, stop it from happening. We also wanted to know if the actions were intentional.
All the information we could find on this was from 2007-2009. It seemed like this software was out-of-date and no longer in the wild. So I always wondered why we were being contacted, especially now.
This write-up was greatly appreciated as it finally shed some light on why were contacted about it -- and more so, how the FBI were involved.
Same thing happened where I work. We got the notice, checked through our logs, found that someone on our guest network had the virus in 2010, and was only connected for less than 10 minutes. They're sending the notices to every C net that has hit their temporary servers since they set them up.
It's not that I don't care about being uninfected, I just don't know where to find out about things like DNS Changer and Conficker. I answer all the requests my system tray makes of me keeping the following up-to-date: Windows Updates, AVG Anti-Virus Free Edition 2012, Adobe Flash, and Java. I use Chrome and Firefox that update themselves. Is something else I should be doing? Is there a web page that has a check list of things I should do regularly, like 1. run windows update, 2. go to http://dns-ok.us/, etc. How do I know if I'm infected by Conficker? I assumed Windows or my AVG Anti-Virus would have told me.
A few years ago my wife would frequent asian streaming sites to get the latest episodes of some of her shows. Despite having a mostly-patched system and AVG, she got infected with a few viruses/worms.
Generally I'd say that you'll know you're infected rather quick. Some evidence:
- advertising disconnected from the websites you're visiting. Random pop-up ads for example.
- most malware have ability to download and install MORE malware, which AVG will catch some of. So you'll start to randomly get AVG hits for files you did not download because the malware downloaded and attempted to install them.
- some malware will succeed in installing and end up trying to scam you out of $40.
In her case she was infected with an extremely lethal (and interesting) piece of malware called TDL3:
It hides really well by creating an encrypted partition at the end of the disk, and its primary goal is to just download and execute other malware which the authors charge a per-install fee to the other authors. It is nearly impossible to get rid of. She would randomly get infected with other more obvious viruses all the time due to this infection vector.
Secunia Personal Software Inspector is very helpful. It detects all the software you have installed and runs a scan once a week to determine if any of it is out of date and gives you easy links to the updated versions. You sound like you're doing quite well, though I would add Quicktime (comes wirh iTunes) to the flash and java list, but even if you're doing a great job Secunia PSI can be a nice reminder and/or provides a visible confirmation that you're all patched up.
When you need one of the two, run them in a separate (updated) browser in a separate guest account (fast user switching ftw).
Yeah, nobody is going to do that. Chrome has an option to have 3rd party plugins blocked by default (click to activate) and Firefox has Flashblock. That's about as much as you can expect users to do.
I do. Once you force yourself to do it once or twice it is actually pretty quick (2 keystrokes), but you rarely need Flash today anyway. There are far too many web rootkits going around for it to be worth running flash and java (OSX and windows)
If you spend any amount of time on the web there is a chance that you have visited a page running an exploit pack. Their penetration rates are 10-20%. There is even a chance that you have been exploited right now and don't even know it.
Any extension that claims to block in Chrome doesn't actually block, since the extension API doesn't allow that - it is only hiding using CSS or some other Javascript trick that still leaves the plugins vulnerable. Flashblock for Firefox also doesn't prevent exploits of vulnerable browser plugins.
All those plugins create a false sense of security
the last time I looked at the Flashblock code for Firefox there was a way to still exploit a flash vuln by slowing the page load down or intercepting DOMContentInserted
Chrome is definitely vulnerable. They are a few versions away from making the blocking API non-experimental.
Using an extension to block may be vulnerable but the builtin click to activate is different. No API involved, I can go to youtube with click-to-activate turned on and it doesn't even spin up a plugin process until I click.
There are many ways to get infected with a virus on Windows. Sometimes it's just as simple as viewing a webpage (fairly rare, only when there's an unpatched exploit). More often, it's in malicious PDFs or EXEs.
Running an up-to-date anti-virus still isn't going to give you 100% protection. A customer of mine recently was infected by a virus while running an up-to-date McAfee, because the virus was released before the virus definitions were updated to catch it. In the two days before McAfee updated their definitions, my customer got the virus.
There's not much reason to check if you're infected unless you suspect you are. With Conficker and DNS Changer, for example, there are symptoms of the virus. DNS Changer would reroute your search results to their own search page. The best thing to do is keep a running AV up to date, do some research on any exe you're about to run (is the distributor reputable?) and watch for sudden signs of slowness, instability, or any modifications to how your system normally behaves. If you notice changes, there are forums where people can tell you how to clean the infection. HijackThis! is a popular analytical tool (but don't change anything using it without posting it on the forums first).
You did not specifically mention your UAC configuration and user type... you should leave UAC enabled, create a second Administrator user with at least a simple password, and downgrade your normal account to a regular user. (This is all for a home version of Windows, the business versions offer more configuration options.)
Any unexpected popup requiring the administrative user's password is usually enough to know something bad is about to happen... and if software doesn't require Administrative rights to install it is usually either easy to remove or exploiting Windows in a way that's unavoidable once it's hit the machine.
Why not redirect _all_ DNS requests to the address of an informational HTTP server, saying "This computer is infected; here is how to fix it..."
I am sure that Geek Squad would pay a substantial amount of money to be listed as one of the repair options.
The idea that network administrators should have to spend hours hunting down these people is ridiculous. When/if they find them, they're just going to shut them off anyway.
If you're relying on the internet for anything important, you probably want to know that e.g. every key you type is going to some server somewhere.
The there's a certain fear of ISPs implementing work-arounds articulated in the article. I'm not surprised - the IP addresses in question can't ever be reliably reused if some ISPs set up special routes for them. And they will do exactly that if they suddenly get a flood of complaints about "the internet not working".
That's a clearer explanation than I was able to parse from the article - thanks!
It seems to me that the right thing to do is to implement the blanket redirect centrally. If ISPs want to implement something different for their traffic, they are free to do so.
The IPs are probably now no good to anyone anyway - they will be in too many blacklists.
I'm not trying to put words in Paul Vixie's mouth by the way, so "explanation" is too strong a word. It's just my interpretation. I'd agree that the article could go into more detail on why this is a bad thing long term; I'm sure there's more to it.
So without those servers the clients would break and can't resolve DNS requests. Is this correct?
If it is, I don't understand why to bother at all with keeping them running. Just stop them. Internet will break for the people affected, they will someone let "repair" their computer, and you get rid of all the infected clients. This needs to be done anyway sooner or later. Why defer it?
Those people may rely on the Internet for their job, studies or social life, so you shouldn't be so quick to just pull the plug because they were unfortunate enough to get infected. To add insult to injury, you would be forcing them to spend possibly significant amounts of money to get it working again, something that not everyone has ready access to.
Well, the "internet" isn't like a land line/electricity. It goes down pretty consistently where I have lived for the last 10 years (Sunnyvale CA, San Mateo CA, Redwood City CA) - on both DSL and Cable (SBC, AT&T, Comcast) - sometimes for 2 to 3 days at a time. Indeed, the frequency with which Comcast's DNS server stops responding to me has me switching to 8.8.8.8 on a bi-montly basis (and screwing up all the CDNs at the same time).
Shutting down this rogue DNS server will have little to no serious consequence on people's lives - it's not like the "internet" is a reliable service. People who do need reliability, have things like SONET with dual-entrance, multiple providers, and multiple data centers located in separate disaster zones with aggressive power redundancy facilities.
FYI, Comcast's new generation of DNS servers appear to be much more reliable. They support IPv6, DNSSec, and don't have ads. Also, they're anycast (like Google), so the IPs are the same everywhere:
None the things you mention in your second paragraph will help you if what fails is DNS lookup.
Depending on who you are, what you do and where you live, internet access may well be as vital to you as a land line. In fact, I'm not sure I'd notice if my landline stopped working.
> To add insult to injury, you would be forcing them to spend possibly significant amounts of money to get it working again, something that not everyone has ready access to.
Somebody needs to pay the money. In this case, it appears to be the taxpayer. I'm not sure I like this. I'd prefer software companies writing vulnerable software to pay the bill, or the people using the vulnerable software, or perhaps the ISPs (who are being paid by the people using the vulnerable software).
I don't like the taxpayer paying for it because software businesses are making more money by taking security shortcuts and as long as the taxpayer pays for the cost of this then there's no incentive for them to stop.
Yet another reason to try to solve this one out properly as quickly as possible. But I do find it worrying that e.g. http://dns-ok.de/ is a non-SSL site. Furthermore, it shows the German federal government's emblem and the T-Mobile and Avira logos, presumably to convey trustworthiness. Those logos are trivially faked, so I'm not sure it's a good idea training users to associate them with trust.
Showing the logos would be illegal without authorization. The companies and the government are much more likely to get involved over fraud that directly involves them. So it raises the stakes significantly for any forger.
Considering the main use of hacked DNS is going to be stealing login info by redirecting to fraudulent versions of websites, I don't think these criminals will have a problem forging logos.
The article talks about ISPs running replacement servers to counter this. It is not clear, but it sounds like these servers would be intercepting DNS requests to the formerly bad servers and that is why Vixie is against it being a long term solution. He suggests that ISPs could intentionally break infected customers in small batches to get the customers to call for help, but couldn't such infrastructure be used to detect infected customers and send out assistance?
All the information we could find on this was from 2007-2009. It seemed like this software was out-of-date and no longer in the wild. So I always wondered why we were being contacted, especially now.
This write-up was greatly appreciated as it finally shed some light on why were contacted about it -- and more so, how the FBI were involved.