Jul 07

DNS Changer Malware. Make sure you don’t lose internet access on July 9th 2012.

The DNSChanger Malware was a Trojan Virus that infected millions of computers from 2007 until 2011. Once the malware infected a computer, it changed the computer’s DNS configuration to point to some rogue DNS Servers.  The rogue servers redirected certain websites to advertisers, injected advertisements on most websites, and, among other things, blocked access to antivirus software websites or sites that helped with the disinfection of the computer.

Last year, in November 2011, the FBI seized these rogue DNS servers. The FBI was concerned that millions of people would lose internet access if they just shut down these servers. So they obtained a court order allowing them  to contract with the Internet Systems Consortium to install some interim servers that could handle DNS requests from infected computers.

The FBI intends to bring these temporary DNS servers offline on July 9th 2012. This means that any computers still infected with the DNS Changer Malware will not be able to reach a DNS Server to resolve names, and thus will not be able to reach any websites. More information can be found on this FBI.Gov page.

To detect if your computer has been infected with the DNS Changer Malware see the information on the following Link.

Alternatively you can visit the following site http://www.dns-ok.us/

If you think you are infected, the information on the following link will help you clean your computer http://www.dcwg.org/fix/

What’s worked for me in the past is a combination of Kaspersky’s TDSSKiller and Malwarebytes. If you are infected, you probably won’t be able to download the tools. So you may need to get those tools using a computer that isn’t infected. Once you get the tools, boot into safe mode and run TDSSKiller. Once the computer restarts run Malwarebytes.

If you encounter problems or need help removing the infection, let me know, and I may be able to help.

Until next time.


Mar 09

New Vodafone HTC Magic phone contains malware – Mariposa botnet and Conficker.

It is interesting how many reputable companies these days are providing malware infected devices or software to their customers. They need to have a serious talk to whoever is in charge of doing QA at these places.

Vodafone now joins the list of vendors who provide malware free of charge to their customers. A Panda Labs Gal apparently received a new phone with malware installed in it. You can read more about it in the Panda Research Blog.

This just shows what I’ve been telling my customers all this time isn’t just me being paranoid. I always tell them that the first line of defense against computer attacks is them. I tell them to trust no one, not even their grandma, on the internet – ask questions first and click later.

Mar 06

Blue Screen of Death after installing Microsoft update.

This past February, before I put this blog online, I had an issue with some of my customers’ computers. Some of my customers called me asking for help because their computers wouldn’t load. They said their computers kept rebooting. I know it’s been almost a month now, but I think this issue deserves a post in this blog.

After troubleshooting the issue I traced down the source of the problem to a Microsoft update. More specifically to update KB977165/MS10-015. As soon as I removed this update the computer was able to load windows perfectly fine.

This was odd though. Other computers where the same update was installed didn’t have this issue. This indicated that the problem was caused by something else – not the Microsoft Update. I scanned the computer for viruses and found nothing. I re-installed the update and the computer entered the boot loop once again. After some more troubleshooting I traced the cause of the stop error to the file %System32\drivers\atapi.sys. There was a problem with this file. It had to be infected. I uploaded the file to virustotal.com, and the results came back clean in all but one of the scans. It just said that it was probably infected with a root kit, but it wouldn’t give me more information.

This made sense. Rootkits are designed to hide themselves or other malware from antivirus applications. This is probably why the anti-virus scan I ran didn’t catch anything.

I decided to take a different approach, and I took the hard-drive out of the computer. I connected the hard-drive to another computer and scanned it using an up to date anti-virus (Kaspersky). The scan found several items and cleaned them successfully. One of the infected files was atapi.sys. After this, I installed the update and the computer didn’t reboot again.

So there you have it. The problem was caused by a an infection on the PC.

My suspicions were later confirmed by Microsoft. They apparently took some customers’ computers with them to check them and found the source of the problem. They state on their security response blog that the problem was caused by the Alureon root kit.

They state on their blog:

the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

So there you have it. They later released a version of the update that does not install if it detects the system is in a state that will cause it to enter this reboot loop.

If you are a victim of this problem, make sure your computer is free from infection. Microsoft recommends to re-install your operating system if you cannot get rid of the infection.

I don’t think this is necessary. If you are in the Phoenix Arizona area and need assistance with this issue, you can contact us and we will gladly help you.