It is time to run your security software on all of your home and business computers. It appears that a virus has been running rampant on Facebook and in folks ISPs. I received the email below from Comcast. If you have not updated your security software, now would be an excellent time. FBI officials said 4 million PCs were infected by the DNS Changer used in the operation that was shut down last week.
First, you’ll need to determine the IP address of your DNS server. It affects Macs as well as Windows machines.
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“). This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.
On a Mac …click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
You’ll then need to plug that IP address into the FBI’s online database of compromised DNS settingsto find out if yours is among them. If it was the Feds would like you to fill out a victim’s report. You’ll then need to do a virus scan to find and destroy the malware, then contact your ISP to restore the correct DNS settings.
End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
18.104.22.168 through 22.214.171.124
126.96.36.199 through 188.8.131.52
184.108.40.206 through 220.127.116.11
18.104.22.168 through 22.214.171.124
The actual email sent to me in my Microsoft Office inbox on Thu 11/10/2011 1:52 PM.:
Law enforcement authorities have advised ISPs around the U.S. that a major criminal bot network was taken offline, and key suspects arrested, as noted in http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911. We believe one or more of your Windows computers or your home gateway device (a.k.a. router) is infected with this malware. Unfortunately, we have no way of knowing which of your computers may be infected, or whether your home gateway device is infected, though an FBI document at http://www.fbi.gov/DNS-malware.pdf offers suggestions. It is also possible that this malware will have downloaded other additional forms of malware to your computer.One aspect of the bot network involved changing customers’ DNS records to point to rogue DNS servers, which law enforcement has now seized. A court-appointed DNS operator has re-routed traffic destined for these rogue DNS servers to their legitimate DNS servers so that you can continue to use the Internet until you are able to change your DNS servers back to Comcast’s servers.
Recommended Next Steps:
- Ensure that all of your critical files are backed up.
- Read the FBI advisory at http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911.
- Read the FBI malware removal guide at http://www.fbi.gov/DNS-malware.pdf.
- Read the FAQs below for additional recommendations.
- Visit the Constant Guard Center at http://xfinity.com/bothelp for recommendations on general steps to protect yourself from and/or remove malware.
- Visit our Security forum at http://forums.comcast.com/t5/Security-and-Anti-Virus/bd-p/13.
- Double check that your computer(s) and your home gateway device are all set to receive DNS IP addresses from our network automatically (via DHCP).
FAQs:What is the malware involved in this bot network?Alureon, also known as TDL4, Win32/Alureon, or DNSChanger, is a particularly virulent type of malware. See http://en.wikipedia.org/wiki/Alureon for more information.What does the malware do?Alureon is a family of data-stealing Trojans. A Trojan is considered a “utility bot” since it can do many things. For example, a Trojan is often used to download additional malware so that a bot network operator can do other things on the infected machine such as send spam or perform distributed denial of service attacks. Malware can also capture keystrokes in order to record user names and passwords, as well as credit card and other personal or financial information. This malware also appears to be modifying a user’s DNS settings, pointing users to a rogue DNS controlled by the bot network.What is the law enforcement doing about this?Law enforcement authorities arrested several suspects. Law enforcement also seized and took offline servers that were involved in the bot network, including the rogue DNS servers.How can customers protect their data?Prior to taking any remediate steps, a customer should immediately back up all of their data. This can be achieved by using such products as Comcast’s Secure Backup and Share (http://xfinity.comcast.net/constantguard/Products/CGPS/backup/), Mozy (https://mozy.com/home/), Carbonite (http://www.carbonite.com/en/home/online-backup), Dropbox (https://www.dropbox.com/), etc.What is the fix for an infected Microsoft Windows PC?Symantec believes that one of their free tools, available at http://security.symantec.com/nbrt/npe.aspx may be able to successfully remove this malware. This tool should be run in “rootkit mode.” It is unclear if Microsoft has a way to remove this malware. If removal steps fail, users may need to re-partition and reformat their hard drive, and then reinstall their operating system and restore documents and applications from backup. Microsoft may have additional information at http://support.microsoft.com or http://www.microsoft.com/security/portal/.What is the fix for an infected home gateway device? At a minimum, we recommend that customers (1) log into the device, (2) change the administrator password, and (3) change the DNS settings to receive DNS settings via DHCP. Customers may need to contact their device manufacturer for advice if they are unsure of how to do this. In some cases the manufacturer may recommend restoring a device to its factory settings and then ensuring that the router has the most up to date firmware.What else should customers worry about? Some malware is capable of keylogging. This means the malware can in some cases record user names and passwords, as well as credit card numbers if you made online purchases. We recommend you reset your password at all the sites you use, but only after you have remediated the infection on your PC (otherwise any keylogger resident on your PC may simply record the new login credentials).
Sincerely,Constant Guard from XFINITY