My little episode began with my antivirus running out. So I thought I would try another with an equivalent level of protection. Sadly, the new antivirus would not install without removing the firewall in place. I started then just to go back to what I knew worked except trying new stuff is how you find out about how good one product is over another. Or just call me reckless at heart.

After the new antivirus was installed, I was off to find a new firewall. So I happened up on PC Tools Firewall (which you will pardon if I don’t give you the address in the interests of not spreading more malware). PC Tools Firewall is not hosted for download at their own home site but rather they pass off the job to CNet. Once I got the program in I went ahead and installed the software firewall. So far, so good.

A few hours later I started noticing the LAN speed was slowing down considerably. Oh, it was still usable but not near where it normally is. This was my first clue something was wrong. Shortly after that I wanted to take a look at PC and Network traffic graphics in Task Manager. Only Task Manager wouldn’t come up. It stalled on the working icon and remained there, never actually bringing up Task Manager. I knew then I had picked up something for sure. I also found I could not search for antivirus sites and the malware cleaners and antivirus (all up to date on definitions) couldn’t be pulled up either.

So off to safe mode I went with a reboot. Malwarebytes showed it to be Affiliate Downloader as the guilty party. It removed it and I removed the installation of the PC Tools Firewall. Returning back to regular mode, I found Task Manager once again available. As a precaution I went ahead and ran all programs again, just to check. Everything was clean and Task Manager remained available for the several hours I was watching it close. As a double check, I went back and reinstalled the PC Tools Firewall to verify it was infected as the Downloader program was fairly simple to dispose of. Sure enough it was there in the execute file. So I cleaned it one more time in safe mode and deleted the software firewall.

Don’t go looking for the current and latest version, from their home page. The firewall appeared to be a rather simple program with none of the advanced features you would expect from a full featured software firewall and it’s tailoring to your uses is rather limited.

Pass on this one, it isn’t worth it.

The warez forums are the perfect environment to launch computers infecting campaigns for a good reason: anybody can upload to a files sharing website whatever he wants and post the link, nobody including forum staff can guarantee that the posted program is clean of malware unless somebody download the program and scan it with an antivirus but who does that? The forum users, assuming for themselves huge computer infections risks because very often a single antivirus it does not matter who are its developers, fails to detect the newly created trojans. Using an online scan service like virustotal.com is a better alternative than scanning with a single antivirus because this service are using many antivirus engines but it has its limitation, it can scan files with maximum size of 32 MB and bad boys know it. What to do if a file is larger than 32 MB?

To be honest, the warez forums are not the only websites spreading infected software, a program downloaded legally from its established website can spy on your computer, can collect for statistics data about how you use your computer, what websites are you visiting or other private information, a behaviour which is perceived as a privacy threat by many users and even more, such programs are detected as malware by a few security programs.

If you deal with a suspicious program the simplest option is to use virustotal.com to scan the file– if the file is smaller than 32 MB of course and you have the advantage over your installed antivirus to see the results of many more antivirus engines, so a more accurate result.

The next thing you can do is to check the file(setup) properties, if a malevolent person embed a trojan into an installer, the digital signature will be missing. Also, a lot of “wannabe” hackers are neglectful when they build the new installers and add different strange things as File Properties or the file properties fields are missing completely.

Let’s see how is looking the file properties of a modified installer–easyHDR PRO, High Dynamic Range photo processing software,  found on a warez forum compared with the original setup file:

Installer with trojan contained

1. File version: 2.20.1.0
2. Description: Setup Application
3. Copyright: Setup Engine Copyright © 1992-2012
4. Comments: Created with….
5. Company: easyHDR PRO
6. Internal name: sf_rt
7. Original File name: suf_launch.exe
8. Product name: easyHDR PRO

And now the original installer:

1. File version: 2.20.1.0
2. Description: easyHDR PRO 2 installer
3. Copyright: (C) 2006-2012 Bartlomiej Okonek
4. Company: SIMPARTEK – Bartlomiej Okonek

You can see the differences, the so-called hacker was simply too lazy to add the proper file properties when he was building his infected installer. Even the icons were different.

The next thing you can check is the file hashes, the original has MD5 0FA5244E5F9606AAA10070002AB1B7C8 and the infected installer MD5  8B78190E81E32C46C94B7C34A9B3C81E. The file hashes are of a great help for quick file analysis, a free tool called HashTab used for calculating them is found at:

 http://implbits.com/HashTab.aspx

This tool add an entry to the context menu(right-click menu) and the result hashes can be used to compare files or to  verify file integrity and authenticity. Or you can google for hashes, some online security services use the hashes to determine if a file was previously detected as malware.

What about scanning this file at virustotal.com? Well, not laudable results:

https://www.virustotal.com/file/ac60202365b59b05d6eb04cfe00f301cb9801e119495bc72ff127c5070194485/analysis/1334599798/

Detection ratio: 5 / 42, a lot of big names antiviruses fail to detect it, grrrrr, is not good for you if it happens to use one of them.

You can try also to extract the files from inside an installer using a tool like Uniextract and view them, but you need some experience to recognize a trojan file.

In my opinion, the best option to decide about an executable, is to run it in a virtual environment like a “sandbox” and to monitor its actions, what it does. You don’t need a virtual machine for this, Sandboxie accompanied by Buster Sandboxie Analyzer(BSA) module is one of the most powerful and convenient sandboxing tool. Sandboxie because a presumed infected program can not perform permanent changes to your system and BSA because it offers detailed information about the analyzed program behaviour and even it tries to decide whether it is malicious or not. Of course, these combination can be used also on “legitimate” but dubious software, not only on those provided by warez forums.

Now let’s see our infected setup file running in a sandbox.

First of all, we can notice in Malware Behaviour Analyzer(BSA) three factors of risk, enough to make an idea for yourself about this analyzed program:

1. An autostart registry entry created
2. Keylogger activity
3. Assorted suspicious actions

malware behaviour analyzer

The read of the report reveals the creation of two hidden files in Temporary directory, or there is not reason for this other than to hide the files from user so we can guess these are malware files:

report hidden files

These two suspicious files are:

1. dbghelp.exe  MD5 1A9E6ACF61D24E829059F5595EDAB9BF
2. libcurl.exe  MD5 15E63AA1A22AFA8481D3DE1DC34F039B

The first one, dbghelp.exe is detected as Trojan.Generic(13/42 detection ratio) at www.virustotal.com, see report and the second one,  libcurl.exe is detected as Win32/Fignotok.A Trojan(32/41 detection ratio) see report.

However, remember that the setup which included these two trojans and the original easyHDR PRO program, has a poor detection ratio of 5/42, that’s because it was compressed and packed especially to avoid the antivirus detection. The unsuspecting user can run the infected installation and the appearances are ok because the wanted program installs as expected, what the user does not know is what happens behind the scene: he just won two computer trojans as a bonus.

Keep safe !

According to published reports, Visa and MasterCard recently warned card-issuing banks that a third-party payments processor suffered a security breach. This breach may have exposed the Track 1 and Track 2 data needed to counterfeit cards. The compromise, according to both KrebsonSecurity and The Wall Street Journal, happened sometime between January 21 and February 25. It’s not clear if attackers had access for that entire period.

Source

Here is where the driving force is to tame the internet. To turn it into the merchant’s wet dream. The idea of having a store with unlimited shelf space, without having to meet all the requirements of a brick and mortar store are strong. No having to meet safety requirements for the handicapped, no having to worry about the parking lot needing repaved and painted, no worries about collecting sales taxes in most states, no worry of fire safety inspections; just a lot of laws, requirements, licensing costs, taxes, and upkeep and maintaince go out the window with an on-line store. To be sure, there are others required in this case but no where near as many as the physical store.

In order for on-line buying to be successful, one must have total faith in the financial system to forward payment and for the store to send the goods. A break of trust in either kills the process. Here is where we run into the hacker and what it means to the customer. Today, as a credit card customer, that is not a business, your credit and charge totals are protected, provided you did your best to maintain security. Ie, you didn’t just up and give out your information on purpose for fraudulent purposes. This is an attempt to keep the trust in the system going.

Every year or two it seems, we hear of a major break in, where all security is somehow bypassed, and all the protected info is stolen. Shortly after, people start seeing charges for goods they never made on their accounts. Big money is being stolen this way.

In an effort to attempt to contain the various botnets that are spamming and stealing financial personal data, the ISPs are being encouraged to fight back by a general code of conduct. You can find an earlier article here I’ve posted dealing with that topic. The purpose is to identify and alert computer users when their systems are infected. That too, has holes in it as John has mentioned earlier.

The on-line market place will crater with out sufficient trust in the system. Money doesn’t grow on trees and these credit card companies are going to have to come up with a solution as the amount stolen continues to rise.

The Anti-Bot Code of Conduct for Internet Service Providers
A Voluntary Industry Code to Help Reduce End-User Bots

The Federal Communications Commission’s CSRIC Working Group #7 released a new voluntary code of conduct for ISPs and network operators on March 22, 2012 as a cooperative industry-government initiative. The Anti-Bot Code of Conduct for Internet Service Providers (ABCs for ISPs), included in the FCC CSRIC Final Report of March 2012 includes the opportunity for participating network operators to be listed publicly on their own and official industry websites.

Source

The spammers and bot-herders will have to come up with a new method should this take hold. Those ISPs voluntarily agreeing to this Code of Conduct will effect roughly ½ of all internet users in the US.

It’s in the interests of the ISPs to do this. It would cut down on a lot of traffic that passes through their nets, not willingly done by the customer. Yesterday, released to public news was the statement that the DoD should accept that it has been compromised within it’s network and is likely it will never get the network clean.

With the methods of rootkits it is beyond most average computer users to find and eliminate bot-net connections. It is possible to identify them through the traffic they send out from the users computer, which is one of the places this new Code of Conduct will make itself known. It is planned to notice the customers IP traffic and send those whose traffic closely matches known traffic to bot-nets and malware.

This means a distinct cut back on bot-net traffic if they can’t hide the flow of data. Bot-nets depend on the infection remaining un-noticed while continuing to infect others to add to the herd’s size.

My question in all this is the question of customer security from their ISPs. As long as the ISPs are dumb pipelines they are protected through DMCA safe harbors. As soon as they start manipulating the data, their status changes from dumb pipelines to one of liable for any misappropriations of that data.

There is an interesting story about the reputed website CNET download.com website which embedded in the original installers they distributed, otherwise clean, their own adware and malware parasitic programs, see Nmap example.

The case analyzed in this article is about a new file sharing website, http://fileze.com/ which is advertised on some forums and promises great payouts in a PPI(pay per install) system. Simply the users can upload files, share links and when somebody wants to download the file he’s forced to install their download manager in order to be able to reach the wanted file.

Here is a part of their TOS:

 How we work:

Once a user clicks on your link and downloads fileze’s download manager your account will be credited as a successful install .You can view the payment rates on the right hand side of this page. We reward users that receive more files downloaded by increasing payouts, we base our revenue structure on different tiers. For example if a user downloads your file and is not from one of these countries your account will not be credited.

Install Rates
Monthly Installs

Tier 1            Tier 2      Tier 3

1 to 3,000                 $0.85          $0.38      $0.10
3,001 to 10,000    $1.00          $0.40      $0.11
10,001 to 20,000 $1.10           $0.49      $0.12
20,001 to 40,000 $1.21           $0.53      $0.14
40,001 to 80,000 $1.29           $0.68      $0.15
80,001 to 160,000 $1.37        $0.71      $0.16
160,001 to 1,000,000 $1.45  $0.75     $0.17

Tier Countries

1 United States

2 France ,Germany ,United Kingdom

3 Australia ,Austria ,Belgium ,Denmark ,Finland ,Ireland ,Italy ,New Zealand ,Norway ,Portugal ,Sweden ,Switzerland ,Netherlands ,Canada

I have uploaded a file to the website, generated a download link  and I visited it with a monitored browser. Of course the “download manager” forced offer popped up.

download manager

Part of the requests made by the browser were :

GET /fd2fed27b5ce840faea85789afd68db03ad0 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1; en; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 11.61
Host: interstitial.powered-by.latestdl.info
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://fileze.com/download?file=14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zip

GET /logger/interstitial/hit/247762/1440498/?v.offer=ravenbleu%2Cmp3tube%2Cbasicscan&lp=http%3A%2F%2Ffileze.com%2Fdownload%3Ffile%3D14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zip&v.sid= HTTP/1.1
Host: install.onlinedl.info
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://fileze.com.powered-by.onlinedl.info/generate/interstitial/247762/?pp=http%3A%2F%2Ffileze.com%2Fdownload%3Ffile%3D14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zip

As you can see,  a lot of redirects occured, to a latestdl.info subdomain, onlinedl.info subdomain and finally to:

http://org.freeflixapp.net/NCIC/20120323072153494E434647493031_4b5a0858-0071-4760-bf53-7793c426bcb6/20120323104817dc83f3-ed26-4c0a-8074-5d9c320f1a90/Setup.exe

from where it was downloaded a single file, the “download manager” in question:

Name: setup.exe
Description: Installer
Digital Signature: Pinball Corporation
Size: 230 KB
MD5: 375EDE343070D8E823408FAB8DEF3F84

What does this setup file when it is executed? Let’s see it analyzed in Sanbdboxie with BSA add-on, only the most interesting parts:

Detected keylogger functionality
Detected privilege modification
Detected process privilege elevation
Enumerated running processes
Got system default language ID
Got user name information
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{33524c00-63fb-43db-a6bf-0a4e14b24649}\displayname = basicscan
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{33524c00-63fb-43db-a6bf-0a4e14b24649}\url = http://www.basicscan.com/?prt=bscscnpb&keywords={searchterms}
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\displayname = yahoo-mp3tube
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\faviconurl = http://www.yahoo.com/favicon.ico
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\url = http://mp3tubetoolbar.com/?tmp=toolbar_sb_results&prt=pinballtbfour01ie&keywords={searchterms}&clid=fcc0a10518894c7fa747679421b1dba5
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\defaultscope = {b3fc32b0-1a54-4aa4-910b-d6d335668969}
Internet connection: Connects to “173.194.35.164″ on port 80.
Internet connection: Connects to “173.194.35.165″ on port 80.
Internet connection: Connects to “173.194.35.178″ on port 443.
Internet connection: Connects to “174.35.6.12″ on port 80.
Internet connection: Connects to “208.87.149.236″ on port 80.
Internet connection: Connects to “208.87.149.250″ on port 80.
Internet connection: Connects to “217.163.21.35″ on port 80.
Internet connection: Connects to “64.94.137.121″ on port 80.
Internet connection: Connects to “66.150.14.46″ on port 80.
Internet connection: Connects to “66.150.14.66″ on port 80.
Internet connection: Connects to “66.150.14.73″ on port 80.
Internet connection: Connects to “68.67.179.215″ on port 80.
Internet connection: Connects to “68.67.185.216″ on port 80.
Internet connection: Connects to “74.125.232.193″ on port 80.
Internet connection: Connects to “74.125.232.225″ on port 80.
Internet connection: Connects to “74.125.232.228″ on port 80.
Internet connection: Connects to “74.125.232.238″ on port 80.
Internet connection: Connects to “74.125.232.239″ on port 443.
Internet connection: Connects to “74.125.232.249″ on port 80.
Internet connection: Connects to “74.125.232.251″ on port 80.
Internet connection: Connects to “74.86.195.220″ on port 80.
Internet connection: Connects to “77.238.167.32″ on port 80.
Internet connection: Connects to “81.196.26.169″ on port 80.
Internet connection: Connects to “81.196.26.177″ on port 80.
Internet connection: Connects to “81.196.26.192″ on port 80.
Internet connection: Connects to “82.77.159.229″ on port 80.
Internet connection: Connects to “config.ravenbleu.com” on port 80.
Internet connection: Connects to “downloads.ravenbleu.com” on port 80.
Internet connection: Connects to “files.freeflixapp.net” on port 80.
Internet connection: Connects to “jookz.com” on port 80.
Internet connection: Connects to “te.ravenbleu.com” on port 80.
Internet connection: Connects to “tei.ravenbleu.com” on port 80.
Internet connection: Connects to “toolbaroptions.com” on port 80.
Internet connection: Connects to “upgrade.jookz.com” on port 80.
Listed all entry names in a remote access phone book
Localhost connection: Connects to “127.0.0.1″ on port 2019.

——————————————————

Opened a service named: BasicScan Service
Opened a service named: LanmanServer
Opened a service named: Mp3Tube Toolbar Service
Opened a service named: RASMAN
Opened a service named: Sens
Opened a service named: WinDefend

Amongst other folders created, the installer creates in Program Files folder, two sub-folders, BasicScan and MP3Tube Toolbar.

BasicScan folder contains three files:

• basicscan.exe

MD5  545D831AEAB423AFCFDED91E1B3C6C82

• basicscan.dll

MD 5  3D5327B5F9FBA95ABDE3021CE33EBB69

•  uninstaller.exe

MD5 FF2284EC3E5422D3A58EDB11B0B1A5C4

The scan result at virustotal.com availble here shows a detection ratio of 3/41, it is detected as: Win32:Zwangi-DQ [PUP], Skodna.Generic_r.E or Adware.OneStep.

The results for basicscan.dll are here and shows detection ratio of 11 / 43 being predominantly detected as BHO.Win32.Zwangi!IK.

We see Zwangi for both files,  google-ing for it we find:

From microsoft.com website:

 BrowserModifier:Win32/Zwangi is the detection for a program that runs as a service in the background and modifies Internet browser search functionality.

From wikipedia.org:

 Win32/Zwangi is a malware program that infects Windows computers. It is also known as Spyware.Screenspy, Mal/BHO-S, and Seekapp. The program redirects URLs typed into the browser’s address bar to a search page at www.zwangi.com, and may also take screenshots without permission.

Enough said I think, obviously it is a true malware. I will end here, already this article becomes too long. Looking back we understand that forcing users to download their “download manager”, http://fileze.com file sharing website in fact is  spreading malware and acts as a mass infection system.

Do you want to keep your computer clean of malware? Then never install additional software, dubious toolbars and downloaders or alleged needed video codecs. There are countless malevolent persons making great efforts to compromise your computer and use it as a zombie for their nefarious purposes, or ready to steal your accounts credentials and empty your bank account or at least ready to forcefully serve you advertisements. Behind all these is always the people greediness.

Keep safe !

Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required.

The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazon’s EC2 and other cloud services. That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001.

Source

Well here’s one that isn’t out yet in the wild. Microsoft predicts that within 30 days the code will be written for malware. If you are running a server get patched quickly. If for some reason you can’t update right away, then turn on Network Level Authentication so that certificates are required to log in.

The security patch came out last Tuesday.

There will be a bunch of people that don’t get the word and don’t update, no matter how it is put out. So it’s a sure bet the malware code will be written and some will be compromised. Make sure you’re not one of them.

Briefly, beginning with 2007 year a cyber crime group based in Estonia, a former Soviet republic, starts to spread a malware called DNSChanger sniffing some financial gains. The spreading process started by tricking the unaware users to download and run a video codec(fake of course) or a special web browser(NetBrowserPro) that helps to watch online porn movies. When a computer is infected, the malware tries to change the DNS settings of the compromised system and of the home or small office routers if the default username and password used to configure it are not changed. There were created malware variants for both Windows and Mac OS X platforms, here is the first report in 2007 year about the malware infecting Macs.

DNS(Domain Name System) is used to translate the domain names(websites names) into IP addresses used by computers to connect each other.DNS Internet service is maintained by DNS servers which stores data about domains and their corresponding IP addresses so the first thing when a computer tries to reach a website is to request its IP address from the DNS servers. Each computer or router stores several DNS servers IPs for quick access, it’s obvious that replacing the legitimate DNS servers IPs with malicious IP addresses managed by cybercriminals will lead to a total alteration of the web browsing.

In our case the DNS servers used by DNSChanger, redirected users to malicious websites, served them modified search engines results favoring websites containing rogue software offers in nefarious adverstising campaigns, blocked  security companies websites  making impossible the antivirus updates and so on.

DNSChanger trojan was quickly improved, the new variants beneffiting of rootkit features, able to extend the infection chain until to the MBR(Master Boot Record, the first running code when computer boots)) in order to hide their presence on the system and to make very difficult the disinfection.

In november 2011, the FBI, after two years !?! of investigation, arrested and charged the head of this criminal operation, six Estonian guys in the so-called Operation Ghost Click. Because at that date there were millions of infected computers worldwide, estimated at 500,000 in the United States including half of Fortune 500 companies and some of the major US government agencies, the FBI “quick fix” was to put on the DNS IP addresses used before by the criminals, legitimate DNS servers, this way the navigating experience of the infected users was normalized. It is important to mention that this “quick fix” DNS servers replacement was ordered by a federal court as a temporary solution, to give enough time to the victims to disinfect their computers and to restore the original DNS settings.

Though the federal court decided to keep up the temporary DNS servers until March 8th, a US District Court(New York) extended on March 5th the deadline to July 9th, so 120 days more. The reason? Obviously, the victims, part of Fortune 500 companies and part of US government agencies shamefully failed to disinfect their computers.

OK, this is the story, where is the scam? Any major event in this world(remember Japan Earthquake or Royal Wedding scams?) feed the scammers and the DNSChanger deadline is not an exception. One of my collaborators told me about an email he received apparently sent by Comcast ISP :

Dear Comcast user,

Our logs show an unusual traffic generated by devices at your IP address. The DNS requests generated by your IP address are a sign of computer infection with Alureon(aka DNSChanger) malware and we urge you to take immediate action to disinfect your computer(s) from your network, otherwise we are forced to shut down the Internet service for you.

We recommend to use the official tool provided in the attachment to remove the computer infection and restore the legitimate DNS settings.

Comcast Support Team

The weird coincidence is that my collaborator is indeed a Comcast customer but he is aware of the DNSChanger infections and checked previously his network(he has a wireless router, a desktop computer and a laptop as home network) for malicious DNS settings and found none.

My collaborator goes further with the investigation because the email looks suspicious to him and downloaded the attachment, moment when his antivirus raise a big red alert detecting a variant of the Zlob trojan, another name of DNSChanger malware. Ironically, if someone with a presumably clean computer is tricked by a such scam email, may be led to infect his computer by himself. Of course, checking the email headers reveal the real sender which in our case obviously was not Comcast internet provider. The email contained however the Comcast logo in the upper left corner, trying to deceive the users.

How it looks a legitimate Comcast email related to DNSChanger infection? Here it is:

comcast email_dnschanger infection

Be aware of these scam emails which start circulating and always check carefully the real email sender before opening it. if you open an email which contain a link, hovering the mouse over it will reveal in the browser bottom bar the real address. Use only the legitimate websites to check your DNS settings. What you have to do if you are infected with DNSChanger malware? If you are unsure, the best option is to ask an expert but don’t hurry to pay anyone. If you are well documented, you can perform the malware disinfection yourself.

Very important, remember that correcting your DNS settings does not remove the infection so further malware infection removal is needed.

The Offending Netblocks(DNS servers):

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

DNSChanger related useful links:

–FBI article related to Operation Ghost Click and DNSChanger malware:

 http://www.fbi.gov/news/stories/2011/november/malware_110911

 http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

–DNSChanger Working Group:

http://dcwg.org/cleanup.html

–Kaspersky DNSChanger removal tool(TDSSKiller):

 http://support.kaspersky.com/faq/?qid=208283363

–Avira DNS Repair-Tool:

 http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

–Trojan:W32/DNSChanger details:

 http://www.f-secure.com/v-descs/dnschang.shtml

 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=DNSchanger&showall=true&CBF=true&sortby=relevance&sortdir=desc&size=10&page=5

–Very detailed article about DNSChanger malware:

 http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-002-eng.aspx

–Check your DNS settings online:

http://www.dns-ok.us/

http://www.dns-ok.ca/

http://www.dns-ok.de/

–DNSChanger on Mac( Published: 2007-11-01):

http://isc.sans.edu/diary.html?storyid=3595

–DNSChanger removal tool for Mac:

http://www.dnschanger.com/ 

– How the malware spreading started:

http://news.cnet.com/8301-10784_3-6171460-7.html?part=rss&tag=2547-1_3-0-20&subj=news 

Keep safe !

The hackers – who appeared to be based in China – had unfettered access to the former telecommunications giant as far back as 2000, according to Brian Shields, a former Nortel employee who launched an internal investigation of the attacks, the Wall Street Journal reports. They “had access to everything”, Shields told the Journal. “They had plenty of time. All they had to do was figure out what they wanted.”

Source

A decade ago, the Chinese were stepping up their internet attacks as a way to steal patented technology, insider information, industrial sabotage, and research theft. Here it appears we had a company that knew of the espionage yet did nothing to fix it, repair it, nor notify anyone of the issue. It again reflects a common belief I’ve had for a long time that the only one that will protect your security is you.

There are somethings you don’t put on the internet. If you don’t put them there, you can’t have the data stolen…or at least not from you. Things you put on the internet that could have repercussions, you do other ways than sending in the clear.

It would no hacker any good to seek access to my computer for financial info. None resides on it. They can search all they want, nothing is there in personal records. You won’t find tax data, credit card data, passwords to accounts, nothing personal like emails to family, simply I use this computer for internet surfing and that makes it not secure. Because it sees the internet, nothing will ever go on it allowing anyone access to my financial data.

On the business front, lots of things have happened with the Chinese and security. It has become known that the Chinese seek insider info on all things. No traveler to China can expect to bring a cell phone or laptop computer and have it survive the trip without being infected once it is used. That is just simply too many incidents for it not to have the permission and blessing of the Chinese government.

Today all business reps that go to China are admonished by the home office not to bring a cell phone they use regularly, nor a laptop. Either buy one there and destroy it before coming home for the cell phone or wipe the laptop completely and weigh it coming and going from China. All cell phones and laptops to carry with out to be wiped before going and after returning without connection to the company intranets.

The US Chamber of Commerce in 2010 found that they had been infiltrated so thoroughly that the thermostat and printer was connecting to Chinese IPs, on their network.

The Chamber’s network is now believed to be secure. After analyzing how the hackers were gaining access to information, the Chamber spent 36 hours over one weekend destroying computers and dramatically improving its security. The timing on the overhaul was planned after the Chamber discovered the hackers kept regular working hours and did not work on weekends.

Source

When hacking and espionage reach these levels of penetration, with this amount of massive invasive infections to travelers, it’s not by accident. It’s a government sponsored and carried out program, reaching all levels of tourism and business in it’s scope.

Source: frugaldad.com

A “worrying number” of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday.

If users who follow the link then click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks very much like the real thing. Those who accept the prompt unwittingly install malware on their computers.

Source

Malware writers go where the crowds are. It’s always been so and one reason why Linux has far less to worry about than Windows. Microsoft has been slowly tightening the security of the OS. Not to where nothing can get in but making it ever harder for malware to get a foot hold. The user has to ok the installation.

They’ve been getting better at social engineering the appealing hook to get you to click on the link or do an update.

I am surprised that Adobe Flash is still the weak link. For years now, Adobe seems to continually win the most vulnerable software to hack. I know at one time they tried to address this but it looks as if it’s been left to the users to get around it by oking such installs.

Then too, I’m still amazed that the computing public hasn’t learned to be doubtful of strange installs. Being a sucker has had a big part in helping malware spread.

I no longer use Adobe’s PDF reader. It’s too subject to the next attack. Flash is usually disabled by noscript and I’m not a big fan of allowing it to run. Just because I miss something in a flash movie isn’t the end of the world. You just have to know how to say no.

The scam to say you have malware and here’s where you pay to get rid of it, seems industry wide. Even the legal antivirus businesses try to use this but instead they will use very broad definitions of what defines malware in the trial version. They always tend to find something even if you ran a antivirus just before installing the trial version.

Well, I guess you live and learn but sometimes learning can be painful to the wallet.