The Cellar - This Smells. Bad.

The Cellar (http://cellar.org/index.php)

- The Internet (http://cellar.org/forumdisplay.php?f=8)

- - This Smells. Bad. (http://cellar.org/showthread.php?t=27229)

This Smells. Bad.

from AP via Yahoo!News

Is this something to worry about, or not? I mean when the gov't wants to help me for no apparent reason I get suspicious. Why does the gov't have to be the one to clean my computer? Will none of the infinitely more capable internet security concerns provide info on how to detect and/or remove this whatever-it-is? I'll bet my benevolent gov't will want to scan my entire computer in this scenario, too won't they?

Uncle Sam can kiss my hairy ass. If this 'puter stops in July, I got another one in the closet, brand new, in the box.

And unsullied by my Big Brother...:neutral:

Quote:

Hundreds of thousands may lose Internet in July

WASHINGTON (AP) — For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, http://www.dcwg.org , that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

Most victims don't even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers.

"We started to realize that we might have a little bit of a problem on our hands because ... if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service," said Tom Grasso, an FBI supervisory special agent. "The average user would open up Internet Explorer and get 'page not found' and think the Internet is broken."

On the night of the arrests, the agency brought in Paul Vixie, chairman and founder of Internet Systems Consortium, to install two Internet servers to take the place of the truckload of impounded rogue servers that infected computers were using. Federal officials planned to keep their servers online until March, giving everyone opportunity to clean their computers. But it wasn't enough time. A federal judge in New York extended the deadline until July.

Now, said Grasso, "the full court press is on to get people to address this problem." And it's up to computer users to check their PCs.

This is what happened:

Hackers infected a network of probably more than 570,000 computers worldwide. They took advantage of vulnerabilities in the Microsoft Windows operating system to install malicious software on the victim computers. This turned off antivirus updates and changed the way the computers reconcile website addresses behind the scenes on the Internet's domain name system.

The DNS system is a network of servers that translates a web address — such as www.ap.org — into the numerical addresses that computers use. Victim computers were reprogrammed to use rogue DNS servers owned by the attackers. This allowed the attackers to redirect computers to fraudulent versions of any website.

The hackers earned profits from advertisements that appeared on websites that victims were tricked into visiting. The scam netted the hackers at least $14 million, according to the FBI. It also made thousands of computers reliant on the rogue servers for their Internet browsing.

When the FBI and others arrested six Estonians last November, the agency replaced the rogue servers with Vixie's clean ones. Installing and running the two substitute servers for eight months is costing the federal government about $87,000.

The number of victims is hard to pinpoint, but the FBI believes that on the day of the arrests, at least 568,000 unique Internet addresses were using the rogue servers. Five months later, FBI estimates that the number is down to at least 360,000. The U.S. has the most, about 85,000, federal authorities said. Other countries with more than 20,000 each include Italy, India, England and Germany. Smaller numbers are online in Spain, France, Canada, China and Mexico.

Vixie said most of the victims are probably individual home users, rather than corporations that have technology staffs who routinely check the computers.

FBI officials said they organized an unusual system to avoid any appearance of government intrusion into the Internet or private computers. And while this is the first time the FBI used it, it won't be the last.

"This is the future of what we will be doing," said Eric Strom, a unit chief in the FBI's Cyber Division. "Until there is a change in legal system, both inside and outside the United States, to get up to speed with the cyber problem, we will have to go down these paths, trail-blazing if you will, on these types of investigations."

Now, he said, every time the agency gets near the end of a cyber case, "we get to the point where we say, how are we going to do this, how are we going to clean the system" without creating a bigger mess than before.

And, Hells no I didn't click the link to the FBI's "security partner".

Some people got a virus that routed their internet traffic through a criminal's servers.

The government took control of those servers when they arrested the criminals.

When they take those servers down, anyone who is infected will lose internet access.

Going to that website will tell you if you are infected (ie, if all of your internet traffic is already, due to the criminals' virus, going through currently-government-run servers).

So, if you're currently infected, the eebil gobberment is already getting all your traffic. If you don't want to actually check whether you're infected, then you'd better play it safe and switch to the new computer right away.

That article reads like a trojan carrier, doesn't it?

A gov't small enough to fit inside your computer...

Quote:

Originally Posted by wolf (Post 808086)

That article reads like a trojan carrier, doesn't it?

That's probably why they don't just redirect all the infected computers to a warning page; everyone will (correctly) assume that it's due to a virus, and (incorrectly, but reasonably) assume that the information on that page is malicious.

They're trying to get the news out via major news sources to as many users (and as many ISP help desks) as possible before turning off half a million people's internet.

Funny, they never worried about fucking people over before...

I checked out that site on my work computer since it's gov't owned and has nothing on it they don't already know about. And I am able to nuke and re-image it if things go wahooni-shaped. At that site, they'll do the check for you, but you can do it manually if you want to know and don't want anyone else scanning your machine. I got the details on what it's looking for from here.

They're looking to see what DNS your machine is being routed through to get internet access. Your ISP will give this to you if you have a static connection and it's automatically configured if you use a dynamic connection.

In case anyone is curious and doesn't want to use the link...
Open up the command (CMD) window
Type ipconfig /all
You should see settings similar to this:
Attachment 38787

Look at the settings for DNS Servers. If the IP addresses there fall within any of these ranges, you have a problem.

77.67.83.1 to 77.67.83.254
85.255.112.1 to 85.255.127.254
67.210.0.1 to 67.210.15.254
93.188.160.1 to 93.188.167.254
213.109.64.1 to 213.109.79.254
64.28.176.1 to 64.28.191.254

If you have a problem and a dynamic connection, you can reboot your machine to reset it or try this to fix it:
Open a command (CMD) window
Type ipconfig /release
Type ipconfig /renew

If you have a problem and a static connection, you'll need to get the DNS information from your ISP and re-enter them in your Local Area Connection settings, just as you likely had to do when you first got set up.

If you do all this and your machine reverts back to the blacklist IPs above for its DNS settings, you still have the buggy bug on your machine/in your removable media somewhere or you keep going to a site that's putting it on your machine. You might also want to check your router and make sure it's not configured to route through the blacklisted IPs.

Cool! Thanks for checking that out.

How many ways can I screw something up if I do that stuff Cyber talks about?

Not at all. It's a very simple and common set of commands, no way you could mess it up. Well, I guess if you did (ipconfig /release) and then never followed up with an (ipconfig /renew) then you'd just be sitting there without an IP address, but even then your machine would grab a new one on its own the next time you rebooted.

Quote:

Originally Posted by Clodfobble (Post 812077)

Not at all. It's a very simple and common set of commands, no way you could mess it up. --snip

You lack imagination.

Quote:

Originally Posted by Gravdigr (Post 812074)

How many ways can I screw something up if I do that stuff Cyber talks about?

You would have to try quite hard to mess any of that up.

Oh dear - I had to reboot just because I thought about doing that.
You have no idea how badly I could eff that up.
For example - "Open up the command (CMD) window"
I have NO IDEA how to even do THAT!

Windows Vista and 7 users - Click Start, type cmd or command. Press enter.

Windows NT, 2000, and XP users - Click Start, click Run, type cmd or command. Press enter.

If you manage to mess that up, please post screenshots :D

Quote:

Windows Vista and 7 users - Click Start

and where is this "start" you speak of? Are you grasping the magnitude yet?

Quote:

If you manage to mess that up, please post screenshots

As if I knew how to do that. lol
I know peeps who know stuff. If my comp stops working - I'll trust them to handle it.

Quote:

Originally Posted by classicman

Oh dear - I had to reboot just because I thought about doing that.
You have no idea how badly I could eff that up.
For example - "Open up the command (CMD) window"
I have NO IDEA how to even do THAT!

Well sure, the procedure is even safer if you don't do it. :) I'm just saying, you're not editing the registry or anything where one wrong keystroke sends things into oblivion. You can't break anything just by opening a command window.

Quote:

Originally Posted by classicman (Post 812132)

and where is this "start" you speak of? Are you grasping the magnitude yet?

Oh, I fully understand. I deal with users of this magnitude on a daily basis. :comp1:

Hey Cyber? (or anybody else who would know)

My list of stuffs don't look exactly like your list of stuffs, but, I only show one DNS Server - 10.0.0.1.

Do I need to get with my ISP, or am I good to go or what? (I'm not really sure of the difference between static and dynamic as applicable to IP addresses. Dynamic changes every time I log on?)

I woulda posted a screen shot, but, I'm paranoid and don't know what to hide and what's ok for the world to see.

I ran through the test at the link in the OP ( http://www.dcwg.org ). It's legit, as far as I can tell. That is the most straightforward way to check to see if you're in "trouble".

Quote:

Originally Posted by Gravdigr (Post 812198)

Yeah, when it comes to the list of suspect IPs, that's okay, but the number itself suggests that you connect using a router... Cisco possibly? If that's so, you might want to check what IP the router is using for its DNS settings. You can Google your router brand to find out how to do this.

And you're right, dynamic connections will automatically change that IP address (and a few others) each time you connect to the server. For most people, this is a completely invisible process. So, if you get one of the bad IPs, a restart of your system will change it and you'll be good (assuming your system still doesn't have the virus). Static connections are manually set with a specific IP address and will not change after a restart.