techsupportcat

ISPs and FBI warning about a nasty rootkit called Alureon.

I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:

Subject: dcwg scam

Not hate mail, but a query:  Is this dcwg.org computer checking site that the FBI is sending us to legit?

You’re the only computer guy I “know” [and not in the biblical sense!]

And my reply:

I hadn’t heard about it before, but it doesn’t appear to be a scam. Their about page (http://www.dcwg.org/aboutcontact/) says it’s a joint effort between the FBI, Georgia Tech, The Internet Systems Consortium, Mandiant, National Cyber Forensics and Training Alliance, Neustar, Spamhaus, Team Cynmru, Trend Micro, and the University of Alabama at Birmingham. That’s a pretty impressive group and many of them have links back to dcwg.org. They also provide several links to the FBI (http://www.fbi.gov/news/stories/2011/november/malware_110911) and other sources for confirmation, plus there’s a good number of news articles about it (http://www.usatoday.com/tech/news/story/2012-04-20/internet-woes-infected-pcs/54446044/1). On top of that there’s a number of articles about it at various ISP such as Comcast (http://forums.comcast.com/t5/Security-and-Anti-Virus/DNS-Changer-Bot-FAQ/td-p/1215341). The fact that it has pretty good prominence on Google’s search is a good indicator it’s legit as well.

If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 209.240.81.155). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon

Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.

Les

2 comments

  1. Yes, the DNS Changer issue is quite real, and a big fail for the antivirus vendors AFAICT.

    BUT — the issue of determining whether something from some large ISP or guv’mint is “trustworthy” can get messy. ISPs don’t want to call every victim because they don’t have the staff to do that. ISPs don’t want every would-be victim calling them because they don’t have the staff to handle that. So, they send emails that encourage you to help yourself without bugging them. Unfortunately, there are email forgeries that look like the real thing, but the links to key web pages are subtly doctored to get you to click on something “bad”. Also, if you have a compromised PC, you won’t always know just how far the bad guys have gone to cover their tracks. So, you want to be slightly skeptical that running any popular “are you infected” test can confirm that it’s NOT compromised (which is the sort of advice emails from ISPs tend to provide). For trust, the best practical thing to do is to call the ISP and don’t let them steer you otherwise.

    Also, while the DNS Changer aspect itself is not THAT big of a deal at the present time, it’s only part of the picture. It just happens to be a part of the picture that ISPs and the FBI actually have a handle on. There’s other crapware that comes “along for the ride” with DNS Changer that can be a really big deal, and may not be obvious to your ISP. Where there’s smoke, there’s fire (and long blog posts). It’s rarely a good idea to panic, but I wouldn’t wait until July to dig deeper and fix.

  2. Agreed. As with any rootkit, if you are infected and you want to be absolutely sure to get rid of it you can back up your data and then re-image your PC (erase the hard drive and re-install the OS and software). Not a light undertaking to be sure, but it pretty much ensures you’ll be clean when you’re done.

Leave a Reply