[lug] Century Link and "DNSChanger"

Bear Giles bgiles at coyotesong.com
Wed Jan 4 12:40:33 MST 2012


I've read that some viruses are now targeting routers instead of the PCs
behind them. It's exactly this attack - the rogue software redirects the
DNS lookups so you get sent to fradulent sites for MITM attacks,
click-capture, etc.

Could this be what's happening here?

On Wed, Jan 4, 2012 at 12:30 PM, William D. Knoche <bill.knoche at gmail.com>wrote:

> Is anyone else getting these from the abuse folks at CenturyLink?
> I do run my own dns server but I never see this address in any of my
> router logs, etc.
> What's going on?
>
> > CenturyLink is dedicated to protecting its customers' Internet experience
> > and works to notify users when their computer systems are infected. Our
> > Security Services organization has received notification from the Federal
> > Bureau of Investigation (FBI) about industry-wide malicious online
> traffic,
> > which we have identified as impacting this account. This means that your
> > computer or another computer on your network may be infected by malicious
> > software known as "DNSChanger."
> >
> > DNSChanger redirects your internet traffic to alternative web sites, most
> > commonly redirecting advertisement traffic to sites controlled by the
> malicious
> > operator.  Also, this malware allows infected computers to be controlled
> > remotely.  Details about this malware attack, and how your system may
> have been
> > infected, can be found on the following FBI and Department of Justice
> website:
> >
> http://www.fbi.gov/news/stories/2011/november/malware_110911/dns-changer-malware.pdf
> >
> > To help protect your computer from further damage and to ensure continued
> > internet access, we are redirecting your DNS traffic to enable your
> Internet
> > browsing, email and other activities to continue.  Currently, it is not
> known
> > whether or not this industry-wide malware attack impacts anything other
> than
> > web or advertisement redirection and there is no tool that is known to be
> > effective in detecting and eradicating this infection from infected
> computers.
> >
> > As a precaution to protect your privacy and data, the Department of
> Justice,
> > with the assistance of the FBI, is recommending that you update your
> master
> > boot record and reformat your hard drive or take it to a local repair
> shop
> > to have this done. If a tool becomes available in the future to remove
> the
> > infection without reformatting your hard drive, we will provide you with
> > the information.
> >
> > In addition, you will need to change your residential, small office or
> home
> > office router administrative username and password, to avoid additional
> > compromise and to allow your router to reconnect to CenturyLink's DNS
> servers.
> >
> > Please note that not removing the malware from infected computers may
> mean
> > that you are still subject to Acceptable Use Policy enforcement.
> >
> > Please see the Acceptable Use Policy at:
> >
> https://www.centurylink.com/Pages/AboutUs/Legal/AcceptableUse/acceptableUsePolicyQwest.jsp
> >
> > CenturyLink may take further action, including the suspension or
> termination
> > of your Service.  Please note that if you use the Internet for Voice
> over IP
> > services (VoIP) to support Internet based calling, you will not be able
> > to make any incoming or outgoing calls, including 9-1-1 calls, from your
> > service address unless you have Internet service.  Also, disconnection
> > of a bundled service may result in loss of you bundle discount.
> >
> >
> > In addition, please make sure that the system software is up to date,
> > that antivirus software is installed with current antivirus signatures,
> and
> > that your hard disk(s) have been scanned to detect and remove all
> viruses,
> > worms, trojans, or other software, which allow unauthorized remote
> control
> > of your systems.  In addition to DNSChanger, your computer may be
> compromised
> > with additional malware.
> >
> > In addition to the FBI's site, a more detailed explanation of the
> > malware's potential impact to your computer or network is available here:
> >          http://www.centurylink.com/news/dnschanger-customer-notice.html
> >
> > If you have questions regarding this issue, please contact us
> > atabuse at centurylinkservices.net  or 855-250-6495.
> >
> >
> > The date, time (GMT) and IP addresses identified in our investigation
> > are as follows:
> >
> > Date                IP              Additional Info
> > =================== ===============
> =======================================================
> > 2012-01-02 00:13:17 xx.xx.xxx.x     infection =>  'dns-changer',
> rogue_ns_ip =>  '85.255.127.4'
> > 2012-01-02 06:14:33 xx.xx.xxx.x     infection =>  'dns-changer',
> rogue_ns_ip =>  '85.255.127.4'
> > 2012-01-02 12:14:38 xx.xx.xxx.x     infection =>  'dns-changer',
> rogue_ns_ip =>  '85.255.127.4'
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20120104/68f56e2d/attachment.html>


More information about the LUG mailing list