[Local-Maine-Schools] Check NOW! Will your computer cease to access the Internet on Thursday?

Dick Atlee atlee at umd.edu
Wed Mar 7 23:03:35 UTC 2012 

You computer may have been infected with the DNS-Changer malware, in 
which case, if you don't do something about it, you'll lose access to 
the Internet (and any help fixing the problem) on Thursday, March 8. I'd 
put this together to send out several days ago, and got tangled up in 
too many things, for which -- if this applies to you -- I apologize.

Last November, the FBI took down a criminal ring in Estonia that for a 
long time had control of a LOT of computers around the world. One 
visible indication that a computer had been taken over was that the DNS 
servers the computer had originally been using had been replaced by DNS 
servers the criminals were running.

DNS servers are computers located all over the world that provide the 
translation between the URL you type in (e.g., http://nytimes.com), and 
the actual numeric Internet address of the NYT server, a numeric address 
that is necessary for your computer and the NYT machine to talk to each 
other. It is essential that these DNS servers be trustworthy. In the 
case of a compromised computer, every time a person using that computer 
put in the address of a website (or clicked on a link), the criminal 
DNS's would be handling that translation, meaning that, while they 
probably left most web addresses untouched, web addresses of financial 
institutions and other criminally useful places could be re-routed to 
websites that looked like the originals but were under control of the 
criminals. And that computer user would probably never notice.

So the FBI captured the criminals and took over their criminal DNS 
servers. But if they shut those machines down, everyone who had an 
infected machine would lose their ability to use the Internet. So a deal 
was made to assign the Internet addresses of those servers to some 
legitimate servers. But the deal was for only 3 months, and that ends on 
Thursday, March 8, and so will your Internet access if you're infected.

There is a good article on this at

http://www.computerworld.com/s/article/9223941/Half_of_Fortune_500_firms_infected_with_DNS_Changer

But the important part is dealing quickly with your situation. The 
instructions for finding out what your DNS settings are (for Windows or 
Mac or a home router) are at

     http://www.dcwg.org/checkup.html

Once you know what they are, and have written them down, go to

     http://www.dcwg.org/checkup2.html

to see the DNS settings that are involved in the criminal activity:

Between
this IP...	... and this IP

77.67.83.1	77.67.83.254
85.255.112.1	85.255.127.254
67.210.0.1	67.210.15.254
93.188.160.1	93.188.167.254
213.109.64.1	213.109.79.254
64.28.176.1	64.28.191.254

The easiest first screening is to look at the first number of your DNS 
(the part before the first period) and see if it matches the first 
number at the left edge of the table (before the first period) --

64
67
77
85
93
213

If it doesn't match, you're OK.

If it does, and you know how to read such numbers and know how to tell 
whether your DNS is between the two DNS values in the table, check to 
see if yours is between them. If you don't know how to do this, you can 
go to the FBI website's page for checking this and entering your DNS 
numbers:

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

If your DNS numbers ARE compromised, you should check with whoever 
provides your Internet service, to restore the lost "official" numbers. 
In the meantime, if you haven't time to do that, you may be able to use 
the following temporarily, from my ISP, Time-Warner:

    209.18.47.61
    209.18.47.62

The important thing is to act NOW. I haven't seen any mention of what 
time of day the DNS's will be shut down on Thursday.

Dick

More information about the Local-Maine-Schools mailing list