TDSS itself is tough to remove, Kaspersky has noted, and so is DNSChanger. The FBI is providing detailed information (PDF) to help users and organizations determine if their systems are infected. The process entails checking the DNS server settings on your computers, as well as though on your wireless access points of routers.
If your computer is configured to use one or more of the following rogue DNS servers, it may be infected with DNSChanger:
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
- 220.127.116.11 through 18.104.22.168
- 22.214.171.124 through 126.96.36.199
- 188.8.131.52 through 184.108.40.206
As law-enforcement agencies, IT admins, end-users, and victims of the alleged click-fraud operation work to clean up the mess, the folks at the Spamhaus Project are arguing that the world's ISPs could have done something to help identify and protect the affected users on their networks. "How would ISPs do this? By monitoring simple traffic patterns on their network, or if not that, by just blocking network traffic from their users to the known cyber criminal controlled areas of the Internet," wrote Spamhaus's Quentin Jenkins.
When DNS requests flow through an ISP's network before being routed onto the Internet, ISPs have an array of options as to what they can do with the traffic, Jenkins wrote. That includes logging, blocking, or rerouting of basic Internet protocols like DNS. ISPs could have used DROP-list (Don't Route Or Peer List), an index of cyber-criminal-controlled areas of the Internet, as a reference for blocking rogue DNS access or to log attempts and alert users to potential malware problems. Security pros at Spamhaus, Trend Micro, and elsewhere had started adding IP address ranges controlled by Rove Digital to DROP-list some years ago, according to Jenkins.
InfoWorld Security Adviser blogger Roger A. Grimes agreed with Jenkins's assessment. "For more than a decade, we've all known how to detect malicious patterns at the ISP level, but most ISPs (especially the foreign ones) literally don't care. Most of the others are worried about the legal liability of accidentally cutting off someone innocent (which is a very real risk)," he said.
That trend is finally changing, however. "Some ISPS are -- finally-- reacting and doing things. Comcast will detect bots on your computer, intercept your Internet browser traffic, and insert a warning into your browser," he said.
This story, "ISPs could have stopped massive click-fraud operation," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.