On November 8, 2011 the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.
For example, visiting the http://www.dns-ok.us/ site will state if you are or are not infected.
If you followed the steps above and your computer is determined to be infected then below are some steps to follow:
|Name of the Tool||URL|
|Hitman Pro (32bit and 64bit versions)||http://www.surfright.nl/en/products/|
|Microsoft Windows Defender Offline||http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline|
|Microsoft Safety Scanner||http://www.microsoft.com/security/scanner/en-us/default.aspx|
|Norton Power Eraser||http://security.symantec.com/nbrt/npe.aspx|
|Trend Micro Housecall||http://housecall.trendmicro.com|