Reply
Official Employee
cc_adame
Posts: 320
Registered: ‎09-13-2010

DNS Changer Bot FAQ.

[ Edited ]

Federal authorities were given permission to extend the operation of the ISC Servers to July 9th,

originally March 8th.

 

Q. What is the Alureon/DNS Changer bot?

A. Wikipedia has a great article on this: http://en.wikipedia.org/wiki/Alureon

Basically, it's a bot that hijacks your DNS to redirect your legitimate traffic to fake sites in order to steal your personal information (such as user names, passwords and credit card numbers).

 

Q. I received a notification, why?

A. We saw your modem querying the known bad ip addresses, indicative of this specific malware. You may have received a notice from us as an email, in-browser notice or via the U.S. Postal Service.

 

Q. How do you know I'm infected?

A. The ISC have taken over the bad servers, and replaced them with legit ones. We get data from ISC

that tells us which Comcast ip addresses are still using these servers for domain name resolution (DNS). If you were not infected, nothing behind your modem would be using them.

 

Q. Can you tell me which Computer it was?

A. Unfortunately, no. That would require us to do deep packet inspecting, which is invasive. To

keep your privacy intact, we can only see what your modem did. It's also likely that your router has had it's settings changed by the bot. We encourage that you check all devices in your home that use the internet.

 

Q. I have a Mac, can this be affected?

A. Yes. We have seen many Mac's infected with this bot already. It's also likely that your router has had it's settings changed by the bot. We encourage that you check all devices in your home that use the internet.

 

Q. Are you turning off my service if I can't fix this?

A. No, Comcast will not disable or disconnect your service.  Because of the changes to your internet settings that the bot may have made, your internet service will no longer function unless you change the settings back. This can be done through our one-click fixes or manually… Visit http://xfinity.com/dnsbot to learn how.

 

Q. How can I tell if I'm still infected?

A. You can visit https://amibotted.comcast.net to see if you're still infected with The DNS

Changer bot, and others as well. You can also visit http://www.dns-ok.us to see if you're infected with the DNS Changer specifically.

 

Additionally, http://www.dcwg.org/ can help you find more links and information about this specific bot.

 

Q. Was the FBI involved?

A. Yes. The FBI was a key player in the takedown of this botnet. You can read more about Operation Ghost Click on the FBI website here: http://www.fbi.gov/news/stories/2011/november/malware_110911

 

As always, feedback is appreciated. 

--
Adam
Comcast National Engineering
Official Employee
jlivingood
Posts: 1,095
Registered: ‎05-09-2007

Re: DNS Changer Bot FAQ.

A good article on DNS Changer, from an insider's perspective, is at http://www.circleid.com/posts/20120327_dns_changer/ 

JL
National Engineering & Technical Operations
Official Employee
Mike_OR
Posts: 25
Registered: ‎12-15-2010

Re: DNS Changer Bot FAQ.

There is a great site that has been put up by the DNS Changer Working Group, DCWG. It has a whole lot of resources around DNS Changer such as tools to remove it from a wide range of vendors, some interesting links to some cool sites with information on the latest issues, and a running total of infected machines. Also if you want to file  complaint with the FBI if you were infected, you can contact them to tell them you were infected. The more people that register that they were infected will help the FBI to make an even stronger case.

 

The web site is at: http://www.dcwg.org