FBI Has Good Guys but Your Time is Limited

There have been a number of articles about what we all call the DNS Changer infection. PC World recently estimated 350,000 systems are still affected and on July 9th will no longer have internet access. It’s rare that we credit government agencies for doing good and few authors have given our justice dept credit for how they handled this malware. If not for a decision by this agency millions of infected computers would have suddenly lost their internet last year with no warning.
 

Last year the FBI went after a criminal group that had infected computers around the world leaving what’s typically called a “bot”.  The virus creating the bot gave multiple criminal groups complete control over the infected computers. One of the many changes they made was to the computers “DNS look up address”. This is the location your browser goes first to find the numeric address of a website.  When you type in “www.WinPatrol.com”, a legitimate DNS server will direct your browser to my server address, 161.58.14.137.  The default setting will take you to a DNS look-up server managed by the company who provides you with Internet access.

If you were infected by the DNS Changer last year your browser would often redirect you to fake websites. These websites may just contain advertising or be duplicates of the original setup so they can steal your password or credit card data. In many cases, the sites encouraged you to download software that would not only steal additional information it would often require you to pay a fee to have it removed. Instead of downloading WinPatrol like you expected you’d get what we called ExtortionWare or ScareWare. Even if you paid the extortion they wouldn’t help and you’d find important documents still encrypted.

 

When the FBI found and arrested the criminals behind this fraud they could have just shut down their entire operation. If they had, anyone infected would have lost their Internet immediately. Their browser wouldn’t be able to look up the numeric addresses required to find websites. Instead, the Justice Department received permission by the courts to set up replacement servers using the same address previous registered to the criminal but they provided legitimate DNS addresses. The infected computers never noticed the change and even now may have no obvious indication they were infected.  Unfortunately, the court order expires on July 9th, 2012 and the replacement DNS servers will go dark.

Many engineers, including some smart people at Microsoft, have tried to create software solutions. In theory, like the criminals, the FBI could just take control of the infected machines and change the DNS setting back to a default value. Aside from the legal restrictions from doing this the danger of causing damage to the infected computer is greater than you might think. Not only does the false DNS address need to be removed but the bot software needs to be removed.  Changes made by the original virus may vary on each machine and without removing the remote control software, other criminals could just find and take control of these machines.

Solution 1
The FBI has created an advisory page which contains plenty of information although it may not be great for non-technical folks. It provides a solution that will keep you on the Internet but doesn’t address other possible infections. It may however give you a clue if you were a victim of this virus.  Click for FBI PDF file

Solution 2
There is an alternate DNS service which I’ve recommended in the past. They have a free version with instructions that may be little better than the FBI document.  The service is call OpenDNS.

Windows Example: Under the Properties of your network adapter you’ll find a path to a screen like this that stores your DNS server address. The default setting would be “Obtain DNS server address automatically”.  In the example above, I have changed the DNS server address to point at an address used by the service OpenDNS. So instead of my browser going to a FIOS to look-up websites, my machine goes directly to servers managed by OpenDNS.

A machine which has been infected by a DNS Changer virus would also have a set of alternate DNS server addresses. A list of numbers currently managed by the FBI can be found in their PDF file available above. If you find a match then you’ll want to clean up your computer, but first check the circle that says “Obtain DNS server address automatically”.

Solution 3
The FBI and I both recommend running a good updated Anti-Virus Scanner to examine your computer.  This week I recommend checking out the Microsoft Safety & Security site and download the new Microsoft Security Essentials. Microsoft also provides a great tool called Windows Defender Offline that creates a boot repair CD/DVD. This is something I recommend you have available even if you’re not a victim of DN Changer.

 

Ultimately, I am pleased to see that the Department of Justice does have some bright folks on staff.  I understand it’s not their responsibility to maintain these servers forever and I’m happy to do my part to educate users before the July 9th deadline.

 

Additional Resources:
PC World: Why Your Internet May Disappear This Summer 4/23/2012

ARS Technica: DoJ, FBI set up command-and-control servers  4/2011

The Telegraph: ‘Internet Doomsday’ July 9 Claims FBI  4/25/2012

DNS Changer Working Group ( More articles and cleanup tools )

Microsoft Windows Defender Offline (Free Download tool )

Thank You & Welcome New WinPatrol PLUS members

Last week I did something I swore I’d never do again. As an experiment we made a single computer license of WinPatrol PLUS available for 99 cents. This is commonly the price you pay for apps on your phone so I wanted to find out how expectations of price have changed.

The last time I tried this experiment the number of upgrades was more than expected and our ability to handle the rush of new members wasn’t adequate. This time was a little better although I am still spending the week making sure everyone received their code and answers to questions.

The Emails I received have been some of the most positive I’ve read. We apparently have had a lot of loyal users of WinPatrol FREE Edition who welcomed this great opportunity. I also heard from a number of new fans who had never heard of WinPatrol and wondered why they missed such a useful tool. There were a few over excited fans who didn’t understand that each 99 cent purchase generated a single code which I tried to make clear in the original offer description. Everyone agreed this was a great deal and many took advantage of the discounted Family Pack license.

One of the good and bad changes in this experiment was the use of alternate download sites.  To reduce the stress on WinPatrol.com I pointed our downloads to trustworthy download sites which had our current setup program. While it helped reduce the problems of our last experiment, these download sites can be confusing and some might say deceptive. If you’re not careful it’s easy to download one of their paid advertisers instead of the program you want. The sites I chose were some of the easier to use.

Special thanks to everyone who spread the news of the sale. Our biggest rush resulted from an article by CNet’s “The Cheapskate” Rick Broida who wrote, “it gives Windows tinkerers a robust set of tinker-tools, yet has a footprint of less than 1MB. Also, creator Bill Pytlovany comes across as just a regular guy who wrote a program, not some faceless developer.”  Thanks Rick. I should explain that our “goofy, Windows 95-era interface” is designed not only for performance but mostly to support accessibility devices like screen readers.  I am guilty and not proud of the “Internet 1.0-era Web site” because we don’t have the revenue of even rogue software developers who can afford to hire real web designers.

Thank you to all our 7000+ new WinPatrol PLUS users. It seems 99 cents is a price people accept. I hope WinPatrol exceeds your expectations and Scotty takes good care of you.  If you’re happy and you know it, feel free to tell your friends.

WinPatrol PLUS Super 99 Cent Experiment II

In January 2010 I tried an experiment and swore I’d never do it again. Since that time the price of software has continued to fluctuate and I’ve been convinced to try the The Great 99 Cent Software Experiment of 2010 again. Since Tuesday is tax day in the USA, I thought this would be an ideal time to give everyone a break. At the same time we’ll see if buying habits have been affected by smart phone software prices.

As in the past, this will be a limited time only “experiment” starting at Noon EST on Monday, April 16th 2012 and will end Noon EST on Wednesday April 18th, 2012.

Update: At the request of friends who didn’t get a chance to notify their readers in time, and system slow downs on Tuesday, our sale has been extended until Thursday, April 19th, 2012 at Noon EST.

Like our current $29.95 plan, the 99¢ license will be good for life and all future versions of WinPatrol. Like sales in the Apple App Store or Droid Market however, this license is only valid for a single computer. Each 99 cent purchase is a license for one computer. Sound fair enough?  Non-commercial users may make multiple purchases but at the completion of your order you will receive a single PLUS code for all “your” personal computers.

Not for commercial use or resale.

If you’ve been planning on someday upgrading to WinPatrol PLUS, this is the time to do it. Even illegal keygen sites can’t compete with this deal. Just go to www.WinPatrol.com and you may be a part of history again. 

Contact Support@winpatrol.com for questions or confirmation this is real. Also let us know if you do not receive your PLUS code due to higher than expected site traffic.  Depending on Email volume my response may not be as quick as usual but I’ll get to you.

To all our fans who paid $29.95 I hope you’ll understand that this is just a crazy experiment and does not diminish the value of WinPatrol PLUS or how much I appreciate all your past support.  If you’ve forgotten why WinPatrol fans are so loyal see "Top Ten Reasons to Try WinPatrol Again".

New F.A.Q.
Can I use my 99¢ WinPatrol PLUS on multiple computers.
This experiment is meant to compare a software purchase to those purchases from the Apple App Store or Droid Market. Unlike our $29.95 license, this purchase is good for one computer at a time. The cost of the Family Pack license has also been reduced to $9.99 and will allow you to create a single family PLUS code.

I heard a new WinPatrol version is coming soon. Will I have to pay again for this version?
No way. The PLUS activation you purchase for 99¢ will work with all future versions.

Can I purchase 100 copies.
Yes, but only for your own use.  You must be a home user and you’ll still receive a single PLUS code for all your computers.

Do I need to download anything in advance?
If you already have the free version of WinPatrol no additional download is required. If you don’t have WinPatrol you can download and become familiar with WinPatrol at http://www.winpatrol.com/download.html. I’ve included some alternate download sites to prevent traffic jams on WinPatrol.com. Using your PLUS code will activate the premium features hidden in the free version.

Time to Protect Your Macintosh Computer

Over the years I’ve attended a number of conferences and panels on what originally was called Spyware and Adware. I think we’ve finally settled on using the term Malware for any kind of spyware, virus, Trojan horse or any kind of unwanted computer invasion. I fondly remember my first conference in Washington DC which included panel discussions like “What is Spyware”.

Anti-Spyware Coalition 2006 - Tracking Spyware Across Borders

I will also never forget, Jeff Fox, who at the time introduced himself as an editor from Consumer Reports magazine. Jeff insisted the Macintosh was “less hospitable” to spyware.  It had nothing to do with the Mac’s 1.5% market share, Jeff implied, Apple created their OS with less vulnerabilities. Ed Skoudis from SANS Institute, countered noting that, “OS10 has had a number of significant security flaws” and that they’re not as widely publicized because they don’t impact as many people.

Since that time Apple has widely increased their visibility. Some estimates put the Macintosh market share above 14%. While many malware authors are targeting the iPhone and iPad, it appears someone has created a Trojan Horse that has spread to over 600,000 Macs including hundreds of machines that report their address coming from Apple headquarters in Cupertino.

If you own a Macintosh computer there’s a chance you’ve been infected even if you run some kind of Anti-Virus software. If you’ve been on a website that offered to update your Flash player, there’s even a better chance you’re one of the 600,000+.

Apple has provided an update with instructions click here. The so called OSX/Flashback Trojan uses a flaw in Oracle’s JAVA. Both Apple and PC users that depend on JAVA should be sure they have the newest version available. PC users who use JAVA click here. Macintosh users should update their software at http://support.apple.com/kb/HT1222 as soon as possible.

Special thanks to our friends at F-Secure labs for their research and Kaspersky Labs who reverse engineered Flashback and were able to verify the number of infected machines by setting up their own bot honey pot based on the Flashback code.  Read more here.

It used to be once a month someone would ask if there is a version of WinPatrol for the Mac.  Lately it’s been 2-3 times a week. I was able to secure the domains LinPatrol.com and DroidPatrol.com but MacPatrol was taken by the time I tried to register it.

Read More Info including technical details below:

Mac Flashback Trojan Affecting Thousands: Apple Issues Fix
Huffington Post

Mac Flashback Trojan: Find Out If You’re One of the 600,000 Infected
Gizmodo

Has Flashback malware made you consider installing antivirus on your Mac? ZDNet - Adrian Kingsley-Hughes

New Mac malware epidemic exploits weaknesses in Apple ecosystem
ZDNet – Ed Bott   (Special thanks for correcting my error)

Doctor Web exposes 550 000 strong Mac botnet
Doctor Web—the Russian anti-virus vendor