Current Activity - DNSChanger Malware

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

DNSChanger Malware

Original release date: February 23, 2012 at 1:52 pm
Last revised: March 7, 2012 at 1:51 pm


UPDATE:  On March 5, 2012, a federal judge agreed to allow more time
for organizations and individuals to clean systems of the DNSChanger
malware and extended the deadline for shutting off servers that had
been keeping infected computers connected to the internet.

Although the new deadline is July 9, 2012, US-CERT strongly recommends
that organizations and individuals who have not verified that their
systems are free of the DNSChanger malware do so as soon as possible.
Please refer to the previous entry below for background information
and resources on detection and removal of the malware.

- -----------------------------

In November 2011, U.S. Federal prosecutors announced Operation Ghost
Click, an investigation that resulted in the arrests of a ring of
seven people who allegedly infected millions of computers with
DNSChanger malware.

The malware may prevent users' anti-virus software from functioning
properly and hijack the domain name system (DNS) on infected systems.
Systems affected by DNS hijacking may send Internet requests to a
rogue DNS server rather than a legitimate one.

To prevent millions of Internet users infected with the DNSChanger
malware from losing Internet connectivity when the members of the ring
where arrested, the FBI replaced rogue DNS servers with clean servers.

However, the court order allowing the FBI to provide the clean servers
is set to expire on March 8, 2012. Computers that are infected with
the DNSChanger malware may lose Internet connectivity when these FBI
servers are taken offline.

US-CERT encourages users and administrators to utilize the FBI's rogue
DNS detection tool to ensure their systems are not infected with the
DNSChanger malware. Computers testing positive for infection of the
DNSChanger malware will need to be cleaned of the malware to ensure
continued Internet connectivity.

Users and administrators are encouraged to implement the following
preventative measures to protect themselves from malware campaigns:
  * Maintain up-to-date antivirus software.
  * Do not follow unsolicited web links in email messages.
  * Configure your web browser as described in the Securing Your Web
    Browser document.
  * Use caution when opening email attachments. Refer to the Using
    Caution with Email Attachments Cyber Security Tip for more
    information on safely handling email attachments.
  * Implement best security practices as described in the Ten Ways to
    Improve the Security of a New Computer (pdf) document.

Relevant Url(s):
<http://www.us-cert.gov/reading_room/TenWaystoImproveNewComputerSecurity.pdf>

<https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS>

<http://www.us-cert.gov/reading_room/securing_browser/>

<http://www.us-cert.gov/cas/tips/ST04-010.html>

====
This entry is available at
http://www.us-cert.gov/current/index.html#operation_ghost_click_malware

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBT1evKj/GkGVXE7GMAQIBXgf/eeQB4OjYJia8Y3WJ6gz8euLYs3pJHRqj
/VRv5O1GUFCAkP+i9nd386F7V6Oloqm8mKCv05Oyv8aR25XhGiVX+mL2kGEeSV8l
0dI8g0tTL/PvSgPcjUYfjd1k9RZneztXy+Qmp7zE3jufMv0JBpk6Zf4DQmwP1i+a
5NYzuPCZh7q+eVpOUwatVjLPewkdg6UzOSMx6VM+nUTkBsEOyQIY94rtuyrLPSqA
P2ECbCTB7mxnY1D6Pinwl/YOJo2B3noI4dV2mp0YmeNksmu7wQu8SSCEBi5U+e8f
1RmB3YfTPI35veP+G8xIxH2PpHbcdOfLUYHDjqu6OSDthh0QvSeoZg==
=h8Jw
-----END PGP SIGNATURE-----