Programmable Logic DesignLine Blog
Comment
Max the Magnificent
My understanding is that the current FBI servers address a particular hijack ...
juneb
Why is the FBI turning this off in July? couldn't this be attempted again? or is ...
Yet another threat to your PC, but this one looks to be real...
Clive Maxfield
5/1/2012 10:21 AM EDT
I'm so used to receiving fake "doom and gloom" emails from family, friends, and colleagues who have just been caught up in the "Internet threat du jour" that it comes as something of a surprise to run across a real, legitimate menace...
I tell you, I'm becoming very suspicious these days. You really have to be distrustful because the "bad guys" are becoming more and more subtle. For example, I immediately trash any "Your PayPal account has been limited" type messages without even thinking about it, but I was almost caught by a Phishing scam a couple of weeks ago.
The message in question seemed so "real" and "non-threatening." It was addressed to me personally. It explained that they were a charity who simply collects secondhand (but still serviceable) socks and distributes them to the homeless. It also noted that they were just starting to move into my area (and they named it), and it said that they would be working hand-in-hand with my local homeless shelter (and named that).
Since I actually contribute to the homeless shelter in question, I assumed that this was where the originators of this email had gotten my name, and I was just about to click on the link that purported to lead to a "Serviceable Socks" subpage (or something like that) on the local charity website when I thought to myself "Just a moment, let's not rush into anything here." So I looked at the source code for the HTML message and checked the actual hyperlink, which turned out to be nothing like what it was supposed to be.
Based on experiences like this, you can imagine my thoughts when I received an email that seemed to come from someone I know saying "Your computer may be infected and you may lose your Internet connection this summer." The first thing I did was bounce over to Snopes.com, which bills itself as "The definitive Internet reference source for urban legends, folklore, myths, rumors, and misinformation." Actually, the folks at Snopes deserve to strut their stuff a bit, because they do provide a valuable service (along with some annoying pop-up adverts).
When I instigated my search on Snopes I was expecting to find the usual "False" report on this threat, but instead I was taken to their In the News page where I found a brief spiel and a link to an article on PC Mag.com titled Avoid Internet Doomsday: Check for DNSChanger Malware Now (Click Here to read this article).
Searching further, I found versions of this article all over the Internet, such as This One on the Denver Post website. The story in a nutshell is that a team of international hackers ran an online advertising scam to take control of infected computers. As part of this, they downloaded malicious software onto 500,000+ computers running Microsoft Windows around the world. In addition to disabling antivirus updates, this malware changed the way the computers sort out website addresses thereby allowing the attackers to redirect computers to fraudulent versions of any website.
The good news is that the folks at the FBI caught the bad guys and put their own servers in place. What this means is that if your machine is infected, it might go a bit slower than usual (because your requests first bounce off the FBI servers), but you aren’t in any danger per se. The bad news is that the FBI are going to turn these servers off on 9 July 2012, at which time infected computers won’t be able to connect to the Internet. (I don’t know about you, but this would be a real bummer for me, because I rely on the Internet to get anything done).
But how do you know if your machine has been infected? Well, the FBI has a security partner at DCWG.org. If you visit this site, the first things you see are Detect and Fix buttons. If you click the Detect button you are taken to another page, which has links for different languages. I clicked the English link www.dns-ok.us and was rewarded with the following image informing me that my machine was OK.
I really like this because it's nice and simple. Had my machine been infected, the image background would have been in red, in which case I would have returned to the DCWG.org home page and clicked the Fix button.
I particularly like the fact that they've added "DNS Resolution = Green" under the image, because this means that they have a clue and the site also works for users who are red/green color blind.
Of course, when you see something like this, you always have a niggling worry in the back of your mind that it could itself be a Phishing scam...
If you found this article to be of interest, visit Programmable Logic Designline where you will find the latest and greatest design, technology, product, and news articles with regard to programmable logic devices of every flavor and size (FPGAs, CPLDs, CSSPs, PSoCs...).
Also, you can obtain a highlights update delivered directly to your inbox by signing up for my weekly newsletter – just Click Here to request this newsletter using the Manage Newsletters tab (if you aren't already a member you'll be asked to register, but it's free and painless so don't let that stop you [grin]).
I tell you, I'm becoming very suspicious these days. You really have to be distrustful because the "bad guys" are becoming more and more subtle. For example, I immediately trash any "Your PayPal account has been limited" type messages without even thinking about it, but I was almost caught by a Phishing scam a couple of weeks ago.
The message in question seemed so "real" and "non-threatening." It was addressed to me personally. It explained that they were a charity who simply collects secondhand (but still serviceable) socks and distributes them to the homeless. It also noted that they were just starting to move into my area (and they named it), and it said that they would be working hand-in-hand with my local homeless shelter (and named that).
Since I actually contribute to the homeless shelter in question, I assumed that this was where the originators of this email had gotten my name, and I was just about to click on the link that purported to lead to a "Serviceable Socks" subpage (or something like that) on the local charity website when I thought to myself "Just a moment, let's not rush into anything here." So I looked at the source code for the HTML message and checked the actual hyperlink, which turned out to be nothing like what it was supposed to be.
Based on experiences like this, you can imagine my thoughts when I received an email that seemed to come from someone I know saying "Your computer may be infected and you may lose your Internet connection this summer." The first thing I did was bounce over to Snopes.com, which bills itself as "The definitive Internet reference source for urban legends, folklore, myths, rumors, and misinformation." Actually, the folks at Snopes deserve to strut their stuff a bit, because they do provide a valuable service (along with some annoying pop-up adverts).
When I instigated my search on Snopes I was expecting to find the usual "False" report on this threat, but instead I was taken to their In the News page where I found a brief spiel and a link to an article on PC Mag.com titled Avoid Internet Doomsday: Check for DNSChanger Malware Now (Click Here to read this article).
Searching further, I found versions of this article all over the Internet, such as This One on the Denver Post website. The story in a nutshell is that a team of international hackers ran an online advertising scam to take control of infected computers. As part of this, they downloaded malicious software onto 500,000+ computers running Microsoft Windows around the world. In addition to disabling antivirus updates, this malware changed the way the computers sort out website addresses thereby allowing the attackers to redirect computers to fraudulent versions of any website.
The good news is that the folks at the FBI caught the bad guys and put their own servers in place. What this means is that if your machine is infected, it might go a bit slower than usual (because your requests first bounce off the FBI servers), but you aren’t in any danger per se. The bad news is that the FBI are going to turn these servers off on 9 July 2012, at which time infected computers won’t be able to connect to the Internet. (I don’t know about you, but this would be a real bummer for me, because I rely on the Internet to get anything done).
But how do you know if your machine has been infected? Well, the FBI has a security partner at DCWG.org. If you visit this site, the first things you see are Detect and Fix buttons. If you click the Detect button you are taken to another page, which has links for different languages. I clicked the English link www.dns-ok.us and was rewarded with the following image informing me that my machine was OK.
I really like this because it's nice and simple. Had my machine been infected, the image background would have been in red, in which case I would have returned to the DCWG.org home page and clicked the Fix button.
I particularly like the fact that they've added "DNS Resolution = Green" under the image, because this means that they have a clue and the site also works for users who are red/green color blind.
Of course, when you see something like this, you always have a niggling worry in the back of your mind that it could itself be a Phishing scam...
If you found this article to be of interest, visit Programmable Logic Designline where you will find the latest and greatest design, technology, product, and news articles with regard to programmable logic devices of every flavor and size (FPGAs, CPLDs, CSSPs, PSoCs...).
Also, you can obtain a highlights update delivered directly to your inbox by signing up for my weekly newsletter – just Click Here to request this newsletter using the Manage Newsletters tab (if you aren't already a member you'll be asked to register, but it's free and painless so don't let that stop you [grin]).
|
|
|
|
|
Navigate to related information
Max the Magnificent
5/1/2012 10:37 AM EDT
If you use this utility and find your PC to be infected, it would be great if you could post a comment here (or email me at max@CliveMaxfield.com) to let me know that this column did some good.
I'd also be interested to know what the "Fix" button does if you use it when your machine is infected.
Sign in to Reply
Duane Benson
5/1/2012 11:49 AM EDT
My computer here at the office came back green. I'll have to check out my home computer after work today too.
As cautious as I am, I sometimes almost get caught in these things too. A while ago I received an email from someone I know with the subject "Hey." I've been know to use that or a similar subject in emails to friends and family that don't have any particular subject in them so I opened it without a second thought. I didn't click on the link in it though. I was at least that smart.
Sign in to Reply
David Ashton
5/1/2012 7:04 PM EDT
Mine was OK, thank heavens. Thanks for that, Max. It'll be interesting to see if anyone does have it.
FYI you don't need to go to the source code to check out links, just hover your mouse over them and down the bottom left of your IE window you will see the address it points to. Works in Google Chrome as well but I can't speak for other browsers.
And yeah, Snopes.com is GREAT for debunking scare messages and other wild claims.
Sign in to Reply
Brian @ BDH
5/2/2012 1:14 AM EDT
Hi Max,
Your column was helpful as was the DCWG site. My machine is 'green & clean' as it were...
In a mad rush to blaze through a bunch of emails a couple of years ago, I too clicked a nasty-gram/scam email claiming to be from "Quickbooks". Luckily, I was able to use a restore point and I was back in action fairly quickly. However, since that event I use the "mouse hover" method that David mentions to checkout links in all emails before clicking. (It works in email applications as well as browsers.)
Thanks, Brian
Sign in to Reply
BGEMC
5/2/2012 7:33 AM EDT
We may well fear the day that an smarter bunch of criminals will come with the idea of 1° introduce a fake real threath as the DNS changer and then come with a soulution thats even worse. Maeby they already have ;-)
Sign in to Reply
K1200LT Rider
5/3/2012 8:56 AM EDT
I didn't see any mention about whether or not the well-known malware/anti-virus/security packages will catch this. I find it hard to believe that they wouldn't, right?
Sign in to Reply
K1200LT Rider
5/3/2012 8:58 AM EDT
I just saw it after reading it again.
Sign in to Reply
derooney
5/4/2012 1:16 PM EDT
So from now on if I'm going to redirect someone's DNS requests to my bogus server isn't the first thing I do is redirect any DNS queries for www.dns-ok.us to this nice green picture? They caught this bunch but who is to say, even now, this test is not producing a fake result?
Sign in to Reply
Max the Magnificent
5/4/2012 1:42 PM EDT
True, but following this rabbit down the hole leads to madness...
Sign in to Reply
RogerC
5/4/2012 3:07 PM EDT
Some of the articles mentioned and linked above give an alternative method of determining whether your computer has been hijacked (basically using ipconfig to examine your DNS server settings). This is more reliable (given the threat mentioned by derooney) but not as simple to perform for most people.
Sign in to Reply
Work to Ride comma Ride to Work
5/8/2012 12:16 PM EDT
I was suspicious as well when I first learned about this threat so I went to www.FBI.gov and drilled down to the DNSChanger page on their website. I figured it would be difficult to hijack that many pages with "real time" information and updates. Green.
Sign in to Reply
juneb
5/10/2012 2:31 PM EDT
Why is the FBI turning this off in July? couldn't this be attempted again? or is too easy to get caught? my cpu is green and thanks for the article.
Sign in to Reply
Max the Magnificent
5/10/2012 4:36 PM EDT
My understanding is that the current FBI servers address a particular hijack scam / gang / whatever .... so if some other gang set something similar up, that new scam wouldn't go to these servers.
Sign in to Reply