CERT mailing list archives

Current Activity - DNSChanger Malware

From: Current Activity <us-cert () us-cert gov>
Date: Thu, 23 Feb 2012 09:46:48 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

DNSChanger Malware

Original release date: February 23, 2012 at 9:27 am
Last revised: February 23, 2012 at 9:27 am


In November 2011, U.S. Federal prosecutors announced Operation Ghost
Click, an investigation that resulted in the arrests of a ring of
seven people who allegedly infected millions of computers and
DNSChanger malware.

The malware may prevent users' anti-virus software from functioning
properly and hijack the domain name system (DNS) on infected systems.
Systems affected by DNS hijacking may send internet requests to a
rogue DNS server rather than a legitimate one.

To prevent millions of Internet users infected with the DNSChanger
malware from losing Internet connectivity when the members of the ring
where arrested, the FBI replaced rogue DNS servers with clean servers.

However, the court order allowing the FBI to provide the clean servers
is set to expire on March 8, 2012. Computers that are infected with
the DNSChanger malware may lose Internet connectivity when these FBI
servers are taken offline.

US-CERT encourages users and administrators to utilize the FBI's rogue
DNS detection tool to ensure their systems are not infected with the
DNSChange malware. Computers testing positive for infection of the
DNSChanger malware will need to be cleaned of the malware to ensure
continued Internet connectivity.

Users and administrators are encouraged to implement the following
preventative measures to protect themselves from malware campaigns:
  * Maintain up-to-date antivirus software.
  * Do not follow unsolicited web links in email messages.
  * Configure your web browser as described in the Securing Your Web
    Browser document.
  * Use caution when opening email attachments. Refer to the Using
    Caution with Email Attachments Cyber Security Tip for more
    information on safely handling email attachments.
  * Implement best security practices as described in the Ten Ways to
    Improve the Security of a New Computer (pdf) document.

Relevant Url(s):
<http://www.us-cert.gov/reading_room/TenWaystoImproveNewComputerSecurity.pdf>

<https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS>

<http://www.us-cert.gov/reading_room/securing_browser/>

<http://www.us-cert.gov/cas/tips/ST04-010.html>

====
This entry is available at
http://www.us-cert.gov/current/index.html#operation_ghost_click_malware

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBT0ZRTj/GkGVXE7GMAQKslwf/ch6J9yJfEFWr0Jq8BueNHYRY53uuia57
w2wbKMDAXQxBfY9vh0kkvSg9biN3iauzff221xQXjard3cHbqlGDkdLeeiPet1RH
sXETsoMZ4DJge9YtsmL7bopWNG5ytiw7Xon0L7d2QXWv3td/Sjrwl2O8ILer4+aC
BkyUE6TvLtYkExFGtq8HW0HOe8kFFGyC/BowfEJIMgQeusmkF3YPcT93r6sJhPzP
U8LX6zQ2aP6olQf19TOrSFmCfXzrQn9L29ML8WraMdnmyh+b6uWofgSf2Gk9A55a
XdDR5IlrP//BRD7PM2RwA0F0PGxfdwuBrEmsGSX8i7VZaABQCMoPDQ==
=L6i2
-----END PGP SIGNATURE-----

Current thread:

Current Activity - DNSChanger Malware Current Activity (Feb 23)
- <Possible follow-ups>
- Current Activity - DNSChanger Malware Current Activity (Mar 07)
- Current Activity - DNSChanger Malware Current Activity (Apr 24)