From: UA Network Managers Discussion [mailto:--------------------] On Behalf Of
Sent: Wednesday, February 01, 2012 7:55 AM
To: ------------------ARIZONA.EDU
Subject: [NETDISCUSS] DNSchanger Malware update
Hello everyone,
I wanted to make you aware of some malware that has infected about 4 million computers worldwide, including several here on campus. The group that initiated this has been caught however there are some lingering effects. The following articles will give you some information you should know in the event your users experience browser issues with going to legitimate sites.
The first one talks about the temp DNS servers that were put in place and when they will be brought down.
http://securitywatch.pcmag.com/malware/293...dark-on-march-8
This article below gives more ways to determine if your users have been effected. If you do find machines that have been infected, please let us know.
Thank you, and good hunting...
~Gil S------
--------------------------------------
Trend Micro and the FBI<http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911> are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.
<http://blog.trendmicro.com/esthost-taken-down-%e2%80%93-biggest-cybercriminal-takedown-in-history/>
This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.
If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.
First you will need to discover what your current DNS server settings are:
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type "cmd" and hit return (for Windows 95 users, select "Start", then "Run").This should open a black window with white text. In this window type "ipconfig /all" and hit return. Look for the entry that reads "DNS Servers" and note down the numeric addresses that are listed there.
On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select "System Preferences", from the Preferences panel select the "Network" icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI<https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS>, simply enter the IP addreses, one by one and click the "check ip" button.
If you feel that you computer may have been infected, you can visit .... for a free scan and clean-up and notify the FBI by submitting this form<https://forms.fbi.gov/dnsmalware>. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.
Ongoing updates on this threat can be found on our Operation Ghost Click landing page.....
