Thursday, April 26, 2012

Staying connected

kw: computer security

I haven't had a reason to visit the FBI web site before, but a newspaper article gave me one. Some clever cybercriminals set up a web server warehouse in Eastern Europe and propagated a virus that caused computers to send internet page address requests to their data warehouse to be resolved. The page addresses returned had more ads or different ads than the "normal" page. The scam owners made a few millions from the ad agencies they favored in this way.

To take down this operation, which amounted to infections of at least half a million computers worldwide, the FBI contracted a company to set up a mirror site running the same server software, then arrested the Eastern Europeans and closed down the original site. This has been going on for months now, but the mirror site is about to be closed down, on July 9 (don't you love how judges pick dates?). From that date, an infected computer will be unable to access the internet at all, because it will be sending requests to a set of Domain Name Servers (DNS's) that no longer exist. One side aspect of the infection is that antivirus updates are blocked, so other malware has probably infected the computer.

The FBI's contracting company has a tool to detect an infection, and a procedure to remove the infection if it is found. There are a couple of web addresses being printed in newspaper articles. I decided to go through the FBI and see what they offered. First, I checked my computer to see if an antivirus update would work. It did, so I had some initial comfort that I was unlikely to be infected.

To do what I did, do the following:
  • Enter the URL . I haven't provided a link here because it is safest if you type in the URL directly.
  • At the upper right they have a search bar. Enter dcwg; you are looking for articles about the Domain Change Working Group, the contractor working with the FBI.
  • From the list returned, the second or third link will be to a page "Check to see if your computer is using rogue DNS". Click on that.
  • There is a set of links. Which one you use depends on where you are in the world, and your language. Click one of them.
  • You will then see either a green box or a red box. The green box tells you your computer is OK. The red box informs you how to remove the infection it found. I haven't had to do so, so you are on your own from here.
I thought of using some screen shots in this item, but decided they could too easily be used to promulgate a meta-scam. Sometimes good old-fashioned text is best.

1 comment:

Anonymous said...

This blog was... how do you say it? Relevant!
! Finally I have found something which helped me. Many thanks!
My webpage: Recovery powerpoint file