I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:
Subject: dcwg scam
Not hate mail, but a query: Is this dcwg.org computer checking site that the FBI is sending us to legit?
You’re the only computer guy I “know” [and not in the biblical sense!]
And my reply:
I hadn’t heard about it before, but it doesn’t appear to be a scam. Their about page (http://www.dcwg.org/aboutcontact/) says it’s a joint effort between the FBI, Georgia Tech, The Internet Systems Consortium, Mandiant, National Cyber Forensics and Training Alliance, Neustar, Spamhaus, Team Cynmru, Trend Micro, and the University of Alabama at Birmingham. That’s a pretty impressive group and many of them have links back to dcwg.org. They also provide several links to the FBI (http://www.fbi.gov/news/stories/2011/november/malware_110911) and other sources for confirmation, plus there’s a good number of news articles about it (http://www.usatoday.com/tech/news/story/2012-04-20/internet-woes-infected-pcs/54446044/1). On top of that there’s a number of articles about it at various ISP such as Comcast (http://forums.comcast.com/t5/Security-and-Anti-Virus/DNS-Changer-Bot-FAQ/td-p/1215341). The fact that it has pretty good prominence on Google’s search is a good indicator it’s legit as well.
If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 220.127.116.11). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon
Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.