[lug] Century Link and "DNSChanger"

William D. Knoche bill.knoche at gmail.com
Wed Jan 4 12:30:41 MST 2012 

Is anyone else getting these from the abuse folks at CenturyLink?
I do run my own dns server but I never see this address in any of my 
router logs, etc.
What's going on?

> CenturyLink is dedicated to protecting its customers' Internet experience
> and works to notify users when their computer systems are infected. Our
> Security Services organization has received notification from the Federal
> Bureau of Investigation (FBI) about industry-wide malicious online traffic,
> which we have identified as impacting this account. This means that your
> computer or another computer on your network may be infected by malicious
> software known as "DNSChanger."
>
> DNSChanger redirects your internet traffic to alternative web sites, most
> commonly redirecting advertisement traffic to sites controlled by the malicious
> operator.  Also, this malware allows infected computers to be controlled
> remotely.  Details about this malware attack, and how your system may have been
> infected, can be found on the following FBI and Department of Justice website:
>          http://www.fbi.gov/news/stories/2011/november/malware_110911/dns-changer-malware.pdf
>
> To help protect your computer from further damage and to ensure continued
> internet access, we are redirecting your DNS traffic to enable your Internet
> browsing, email and other activities to continue.  Currently, it is not known
> whether or not this industry-wide malware attack impacts anything other than
> web or advertisement redirection and there is no tool that is known to be
> effective in detecting and eradicating this infection from infected computers.
>
> As a precaution to protect your privacy and data, the Department of Justice,
> with the assistance of the FBI, is recommending that you update your master
> boot record and reformat your hard drive or take it to a local repair shop
> to have this done. If a tool becomes available in the future to remove the
> infection without reformatting your hard drive, we will provide you with
> the information.
>
> In addition, you will need to change your residential, small office or home
> office router administrative username and password, to avoid additional
> compromise and to allow your router to reconnect to CenturyLink's DNS servers.
>
> Please note that not removing the malware from infected computers may mean
> that you are still subject to Acceptable Use Policy enforcement.
>
> Please see the Acceptable Use Policy at:
>          https://www.centurylink.com/Pages/AboutUs/Legal/AcceptableUse/acceptableUsePolicyQwest.jsp
>
> CenturyLink may take further action, including the suspension or termination
> of your Service.  Please note that if you use the Internet for Voice over IP
> services (VoIP) to support Internet based calling, you will not be able
> to make any incoming or outgoing calls, including 9-1-1 calls, from your
> service address unless you have Internet service.  Also, disconnection
> of a bundled service may result in loss of you bundle discount.
>
>
> In addition, please make sure that the system software is up to date,
> that antivirus software is installed with current antivirus signatures, and
> that your hard disk(s) have been scanned to detect and remove all viruses,
> worms, trojans, or other software, which allow unauthorized remote control
> of your systems.  In addition to DNSChanger, your computer may be compromised
> with additional malware.
>
> In addition to the FBI's site, a more detailed explanation of the
> malware's potential impact to your computer or network is available here:
>          http://www.centurylink.com/news/dnschanger-customer-notice.html
>
> If you have questions regarding this issue, please contact us
> atabuse at centurylinkservices.net  or 855-250-6495.
>
>
> The date, time (GMT) and IP addresses identified in our investigation
> are as follows:
>
> Date                IP              Additional Info
> =================== =============== =======================================================
> 2012-01-02 00:13:17 xx.xx.xxx.x     infection =>  'dns-changer', rogue_ns_ip =>  '85.255.127.4'
> 2012-01-02 06:14:33 xx.xx.xxx.x     infection =>  'dns-changer', rogue_ns_ip =>  '85.255.127.4'
> 2012-01-02 12:14:38 xx.xx.xxx.x     infection =>  'dns-changer', rogue_ns_ip =>  '85.255.127.4'

More information about the LUG mailing list