Saturday, June 23, 2012

Is your computer infected? Better deal with it before July 10.

Here’s a timely warning from one of my favorite blogs, Maggie’s Farm:

A whole pisspot full of computers are going to lose their Internet connection this July 10th.  Let's find out if yours will be one of them.

It's actually kind of a bizarre story.  Your computer connects to the Internet using DNS numbers.  Some bad guys in Estonia ran a fake advertising scheme and infected a shitload of computers around the world with a DNS hijacking program which changed the computer's DNS numbers.  It would still connect with the Internet just fine, albeit occasionally the user might find some new browser window open advertising this or that, which is how the bad guys made their money.

Enter the authorities, who catch the bad guys but then are faced with a problem.  If they had just confiscated their servers, every infected machine on the planet would have immediately lost its Internet connection — and without the owners having the slightest idea why.

Rather than risk global anarchy, the FBI substituted the servers with some rental servers to give people time to clean up their computers, but time is running out and the servers are going to be unplugged this July 10th.  There's already been one court-ordered 'stay' of 3 months, and it doesn't look like there's going to be another.

The reason anti-virus programs don't catch the little rascal is because it's not actually a virus; it's not even a program, just a web file.  The second someone clicked on the original fraudulent ad, the damage was done.  No file was ever downloaded so there wasn't anything for the anti-virus program to analyze and stop.

The official FBI info file is here.

The Tests

To be fairly certain you're not infected, visit this and this page.  If they say you're infected, there will be some instructions to follow.

If you want to be absolutely certain you're not infected, go to Start Menu, Programs, Accessories, open 'Command Prompt'.  Type in:

   ipconfig /all

and hit the Enter key.  Start looking down the list and you'll see 'DNS Servers', with one or two DNS numbers over to the right.

If any DNS number fits into one of these ranges, the machine is infected:

    64.28.176.0 — 64.28.191.255
    67.210.0.0 — 67.210.15.255
    77.67.83.0 — 77.67.83.255
    85.255.112.0 — 85.255.127.255
    93.188.160.0 — 93.188.167.255
    213.109.64.0 — 213.109.79.255

If so, head here for some fix-it tools, and please let us know in the comments which tool you used and on what operating system.

Mac users:  If you use a browser with a Windows emulation program, check the FBI file for how to access your DNS numbers so you can compare them to the above list.  If you're not running emulation, don't worry about it.

Also, if you're using a router, check the router section in the FBI file.  The router has its own DNS numbers that need to be manually checked against the list.

I suppose I should note the historical impact of the event.  While there have been innumerable viruses, worms and trojans over the years that were expected to ignite on a certain date, creating Gawd knows what kind of havoc, almost none of them ever panned out.  This time, however, we're being given a specific date and it's a damn good guess it'll actually happen.

After all, this one's backed up by the FBI.

No comments: