[PCWorld]

Post your comments for DNSChanger Malware Set to Knock Thousands Off Internet on Monday here

[Gibson295]

for those who were to incapable of a simple even free Anti virus software and not downloading crap from places you should not, then you need not worry. It's also pretty easy to test to see if you are even affected.

[rsv5100]

Gibson295, on 05 July 2012 - 09:18 AM, said:

for those who were to incapable of a simple even free Anti virus software and not downloading crap from places you should not, then you need not worry. It's also pretty easy to test to see if you are even affected.

And what were you doing in 2007????

[Extremist]

Gibson295, on 05 July 2012 - 09:18 AM, said:

for those who were to incapable of a simple even free Anti virus software and not downloading crap from places you should not, then you need not worry. It's also pretty easy to test to see if you are even affected.

Now, it's easy to know if you've been infected with DNSChanger; even Google and Facebook are starting to warn users, but 5 years ago it wasn't like that. And even when you remove DNSChanger, there still may be other stealth malware hidden on your system. DNSChanger spread primarily through the TDSS Rootkit, an extremely advanced rootkit that hooks deep into the Windows OS. TDSS usually spreads through one of two attack vectors. The first attack vector is warez and porn sites. For example*:

TDSS Rootkit Silently Owns the Net - Prevx

"The infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If UAC is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7.

This is likely to be the usual scenario, where a user looks for specific cracks and don't mind if UAC warnings him, he gives admin privileges to the wanted crack."
___________________________________________________________________________

The second category is the drive-by download usually through a 0px (invisible) iframe. One example:

Fragus Exploit Kit - TDSS Rootkit

"While looking after an AutoIt decompiler I ran into the Fragus Exploit Kit on a hacked Wordpress Blog. It all started with an iframe pointing to [xxxxxxx].com.

We run straight into [the file] show.php containing a heavily obfuscated JavaScript hiding several exploits. The unlucky visitor bumps into a 404 page not found error while the JavaScript silently starts its evil work in the background, leaving the victim unaware of what's happening. The same 404 page is meant to slow down analysts too.
Once the script decoded we discover several exploits:

CVE-2006-0003 - MDAC
PDF: printf(), collectEmailInfo(), getIcon()
CVE-2008-0015 - MsVidCtl Overflow
Aolwinamp: IWinAmpActiveX.ConvertFile - Info here and here
CVE-2008-2463 - MSOfficeSnapshotViewer
CVE-2005-2127 - COMObjectInstantiationMemoryCorruption
CVE-2009-1136 - MSOfficeWebComponents - OWC10.Spreadsheet msDataSourceObject
The Fragus Exploit Kit, build with PHP, is available in both English and Russian; the kit is hosted on a Web Server and allows the attacker to choose which exploits to run.

All lead to the same final payload which is then served to the visitor."

___________________________________________________________________________

It is the second attack vector that is more worrying. The viewer doesn't know that their machine has been compromised by a drive-by download unless they have advanced knowledge of computers and networking. You can become infected by visiting legitimate sites that have been breached, clicking ads, or by simply clicking on a shortened url (e.g. bit.ly). And your antivirus won't save you. When TDSS installs, it bypasses behavioral protection by forcing a legitimate service to load a legitimate, but maliciously patched DLL. This is done by modifying the msi.dll file in \knowndlls directory, followed by launching the “Microsoft Installer” service. As well, it recompiles hourly, further confusing antivirus solutions. The only ways to effectively prevent drive-by downloads are to use NoScript, use Sandboxie, or deny execution on the AppData folder (where most malware resides).

It's not as simple as just running an AV and downloading from trusted sites.

* Examples of attack vectors found on Wilders Security Forum from user "Rmus"

[ronin7752]

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

[Extremist]

ronin7752, on 05 July 2012 - 06:08 PM, said:

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

Conficker infected 1.6 million PCs in Q4 2011 alone. Nobody knows exactly what it does, but it's still very alive.

This post has been edited by Extremist: 06 July 2012 - 03:34 AM

[MichaelBates]

Great tool, highly worth the outlay

[MichaelBates]

Great tool

[Jameshoqh]

ronin7752, on 05 July 2012 - 06:08 PM, said:

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

[Jameshoqh]

Jameshoqh, on 06 July 2012 - 05:02 PM, said:

ronin7752, on 05 July 2012 - 06:08 PM, said:

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

This one is a bit different. The FBI is running the servers. They caught the crooks, and have continued to run the servers to help the people infected to solve their problems. On Monday, the FBI shuts the server down. If you are infected, you will not have internet access. It is not what might happen, it is what will happen.

[DarkRaptor]

A member of my family got an email about this subject saying her Laptop was infected asking to download a program....Is this legit? I have a large feeling its not.

[LiveBrianD]

DarkRaptor, on 07 July 2012 - 12:30 AM, said:

A member of my family got an email about this subject saying her Laptop was infected asking to download a program....Is this legit? I have a large feeling its not.

Sounds awfully fishy... (fake AV scanner maybe?)

[dbisse]

ronin7752, on 05 July 2012 - 06:08 PM, said:

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

We had a rogue windows 2k PC on the network that would periodically lock out about 30 passwords for a year. It wasn't until the CEO's new pc was attacked by it that the security guys turned it off permanently.

[dbisse]

DarkRaptor, on 07 July 2012 - 12:30 AM, said:

A member of my family got an email about this subject saying her Laptop was infected asking to download a program....Is this legit? I have a large feeling its not.

Was is signed by a Nigerian Royal Family member?

[dbisse]

Jameshoqh, on 06 July 2012 - 05:05 PM, said:

Jameshoqh, on 06 July 2012 - 05:02 PM, said:

ronin7752, on 05 July 2012 - 06:08 PM, said:

Remember conficker? After all the warnings and gloomy predictions, how many computers were actually damaged by it?

Seriously, if you know, please tell me, because I looked for the number for weeks after zero-day and couldn't find it. None of the AV companies nor the IT media had anything to report.

Find that odd....?

Always

This one is a bit different. The FBI is running the servers. They caught the crooks, and have continued to run the servers to help the people infected to solve their problems. On Monday, the FBI shuts the server down. If you are infected, you will not have internet access. It is not what might happen, it is what will happen.

3rd party hired by the FBI. Wonder what data they have been collecting for the past 8 months.

[BrandonHope]

just use Commonsense 2013 and you will NEVER get a virus or malware! NEVER its the most advanced antiviruse out there and works for Windows, Linux and UNIX! and its FREE!!!

[LiveBrianD]

BrandonHope, on 07 July 2012 - 12:00 PM, said:

just use Commonsense 2013 and you will NEVER get a virus or malware! NEVER its the most advanced antiviruse out there and works for Windows, Linux and UNIX! and its FREE!!!

The problem is that legit sites can get infected, and there are sometimes holes in software that haven't been patched yet. I'm not saying AV is the cure-all solution here. However, it is a good idea, just in case.

[AppleDystopia]

This is a good, informative post, however a bit too doom and gloom. 300,000 computers may be infected. This doesn't disable internet access, but DNS. If one is infected, you can ping Google, type the IP in your browser and search for a solution. There is a lot of hype surrounding this. Check out my blog, Appledystopia, for a short post on DNS changer and link to DCWG (DNS Changer Working Group) for more details on how to fix this...

[AppleDystopia]

This is a good, informative post, however a bit too doom and gloom. 300,000 computers may be infected. This doesn't disable internet access, but DNS. If one is infected, you can ping Google, type the IP in your browser and search for a solution. There is a lot of hype surrounding this. Check out my blog, Appledystopia, for a short post on DNS changer and link to DCWG (DNS Changer Working Group) for more details on how to fix this...

[LiveBrianD]

AppleDystopia, on 07 July 2012 - 04:16 PM, said:

This is a good, informative post, however a bit too doom and gloom. 300,000 computers may be infected. This doesn't disable internet access, but DNS. If one is infected, you can ping Google, type the IP in your browser and search for a solution. There is a lot of hype surrounding this. Check out my blog, Appledystopia, for a short post on DNS changer and link to DCWG (DNS Changer Working Group) for more details on how to fix this...

You can't ping google.com without a working DNS server - it looks it up there, and then gets the IP. If you click on a search result from it, you'll also need DNS. If you're pinging and visiting 74.125.224.68 (that's one of google's IPs) or something, then no, it doesn't matter.