Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Taking Down DNSChanger: A First Person Account

Unknown Lamer posted more than 2 years ago | from the vixie-with-a-vengeance dept.

Botnet 46

penciling_in writes "Paul Vixie shares his personal account of the DNSChanger takedown operation, working with the FBI and a worldwide team. He also explains the delay issues in identifying and notifying victims, which resulted in the FBI asking the judge for an extension. They were given four more months. 'On July 9 2012 the replacement DNS servers operated by ISC will be shut down and any victims who still depend on these servers will face new risks,' he warns. A half-dozen national Internet security teams around the world have created special websites that will display a warning message to potential victims of the DNS Changer infection. The full list of these 'DNS Checking' websites is published by the DNS Changer Working Group."

cancel ×

46 comments

Sorry! There are no comments related to the filter you selected.

dcwg.org (2)

vlm (69642) | more than 2 years ago | (#39497937)

Probably the most interesting side of "just another windows virus" story for non-windows users, is that 4-letter-acronym domains are available.
I heard all the TLAs have been domain squatted since the mid 90s... I was honestly surprised its possible to obtain a FLA domain (four letter acronym), or at least it was possible for these guys for this one domain...

Re:dcwg.org (0)

Anonymous Coward | more than 2 years ago | (#39498001)

Probably the most interesting side of "just another windows virus" story for non-windows users, is that 4-letter-acronym domains are available.
I heard all the TLAs have been domain squatted since the mid 90s... I was honestly surprised its possible to obtain a FLA domain (four letter acronym), or at least it was possible for these guys for this one domain...

It is dot org. Who cares about dot orgs? Squatters are more interested in dot com.

Re:dcwg.org (4, Funny)

Zocalo (252965) | more than 2 years ago | (#39498121)

It is dot org. Who cares about dot orgs? Squatters are more interested in dot com.

Damn straight. That's some nice digs Kim has out there in New Zealand... Be a shame if he were sent down for a few years and a bunch of squatters moved in.

Re:dcwg.org (1)

Aaron B Lingwood (1288412) | more than 2 years ago | (#39508573)

Who cares about dot orgs?

I have it on good authority from an SEO that links from dot orgs are weighted much more heavily by Google's ranking algorithm. In fact, I get free domain registration, hosting and admin for a few .org.au domains in exchange for a couple of (slightly relevant) links.

Re:dcwg.org (3, Informative)

b0bby (201198) | more than 2 years ago | (#39498715)

I bought one a year or so ago on ebay; cost me $25. Not really "available" in that the sense that you could register it through any registrar, but available in that I could easily get it. There are lots of them on ebay all the time, they seem to start at $25 for a .com.

Re:dcwg.org (2)

lothos (10657) | more than 2 years ago | (#39499909)

All of the 4 letter .com domains have been registered. They expire and drop sometimes, and people grab them from places like SnapNames and NameJet. There's also an aftermarket where you can find the less desirable combinations for about $25-$100.

There are plenty of 4 letter .net and .org domains that aren't registered yet, and they can be had for the price of registration at your favorite registrar.

Re:dcwg.org (0)

Anonymous Coward | more than 2 years ago | (#39503461)

Don't you mean FFLA (F-Four Letter Acronym)?

Re:dcwg.org (0)

Anonymous Coward | more than 2 years ago | (#39506717)

I bought q3k.org two or so years ago from a regular registrar - although that might be because it's alphanumeric, not letter-only.

Why doesn't Google check for this? (2)

brunes69 (86786) | more than 2 years ago | (#39497945)

It seems like Google would be in a position to quickly nip problems like this in the bud. If they implemented whatever the checks these systems are doing on their search result page, 99% of those infected would know about it.

Re:Why doesn't Google check for this? (2)

characterZer0 (138196) | more than 2 years ago | (#39498113)

How many of the infected Windows users are using Bing because it is the IE default?

Re:Why doesn't Google check for this? (0)

Anonymous Coward | more than 2 years ago | (#39500671)

you are a moron. think before you type.

Re:Why doesn't Google check for this? (2)

WrongSizeGlass (838941) | more than 2 years ago | (#39498369)

It seems like Google would be in a position to quickly nip problems like this in the bud.

I'm sure they are in a position to perform this type of check, but is it their place to do so?

If they did it on their own we'd be up in arms about Google inspecting everything too deeply. If they don't do it we want to know why. It's a no win situation, but it's better for them to be persuaded to perform the task rather than jumping in with both feet and enduring the choir of complainants.

Re:Why doesn't Google check for this? (0)

Anonymous Coward | more than 2 years ago | (#39498857)

If they implemented whatever the checks these systems are doing...

Are you talking about the browser-based test, where you go to www.dns-ok.us and it tells you if you're infected? The website isn't checking for anything. If your system is using DNSChanger servers, you get sent to a different website (more accurately, you get a different IP back from DNS). Observe:

Normal DNS Server:
# dig @4.2.2.1 dns-ok.us
[...]
dns-ok.us. 43200 IN A 38.68.193.96

DNSChanger DNS Server:
# dig @77.67.83.254 dns-ok.us
[...]
dns-ok.us. 30 IN A 38.68.193.97

There's nothing for Google to test. By the time they get your traffic, the DNS query is done.

Re:Why doesn't Google check for this? (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39499241)

There's nothing for Google to test. By the time they get your traffic, the DNS query is done.

Why do you imagine they couldn't arrange the same result? Create a real DNS record for something like dns-ok.google.com pointed to a Google server with a no-op piece of javascript called test.js on it, then include "dns-ok.google.com/test.js" on google.com. Then they could call up the people who currently control the DNS changer server and tell them to add a record for dns-ok.google.com and point it to a different Google server where that piece of javascript causes the user to see a message that their computer is infected and provides instructions on how to fix it.

Couldn't get pass the picture of the unibrow (-1)

Nyder (754090) | more than 2 years ago | (#39497975)

I tried to read the article, but the picture of the writer, with his unibrow just stopped me cold.

It's bad enough people try to use the big ass gap between their teeth as some sort of fashion, but unibrows? Please, that is not fashion, that is being straight up lazy.

Re:Couldn't get pass the picture of the unibrow (1)

Sez Zero (586611) | more than 2 years ago | (#39498055)

I don't care about the unibrow, but I have to admit I thought Paul Vixie would look more dashing.

I'm not sure why, but I pictured him as a cross between Indiana Jones, Flash Gordon and Dilbert.

Re:Couldn't get pass the picture of the unibrow (1)

jgrahn (181062) | more than 2 years ago | (#39501493)

I don't care about the unibrow, but I have to admit I thought Paul Vixie would look more dashing.

I'm not sure why, but I pictured him as a cross between Indiana Jones, Flash Gordon and Dilbert.

I pictured him as dark, handsome, but boyish. With rather long, black, curly hair. Funny how we make our own portraits of programmers, as if they were characters in a novel.

Re:Couldn't get pass the picture of the unibrow (0)

Anonymous Coward | more than 2 years ago | (#39498949)

You're complaining about a tech writer's unibrow?

This [trendhunter.com] is way worse.

Re:Couldn't get pass the picture of the unibrow (1)

Xtifr (1323) | more than 2 years ago | (#39499353)

The original author [wikipedia.org] of cron and bind is a "tech writer"? The man who claims to hold the record for the most CERT advisories due to a single author? When it comes to the Internet, the man has at least demi-god status, and when it comes to DNS, I think you have to call him a full-fledged god.

Re:Couldn't get pass the picture of the unibrow (1)

jgrahn (181062) | more than 2 years ago | (#39501369)

The original author [wikipedia.org] of cron and bind is a "tech writer"?

You're right at large, but he wasn't the original author of cron. He made the first(?) free clone.

Re:Couldn't get pass the picture of the unibrow (1)

dhammabum (190105) | more than 2 years ago | (#39504457)

This is an insult to all inter-ocularly hirsute techs everywhere. We who sport the unibrow (or monobrow as it is known in Australia) - all look up to Mr Vixie, and I myself am proud to have been compared to Mr Twit of Roald Dahl's inspiring book, "The Twits" fame.

Such comments are just jealousy, I suppose.

Stupid (4, Interesting)

DarkOx (621550) | more than 2 years ago | (#39498133)

They never should have setup replacement DNS servers.

At most they should have put up a special server that just pointed every A record request to webserver with page explaining that you have or have had some malware on your system and are vulnerable, some instructionss to fix your DNS and patch your box or call your Administrator for help. Simply return NXDOMAIN for everything else.

All this has accomplished is keeping a bunch of un-patched machines which lets face it most likely have or will have other malware on them as well in use by users making the possible victims of someone else.

I have not bought into the argument about ISPs or corporate uses being effected severely either. Anyone effected by this thing is not using DNSEC. It would be trivial to NAT tcp53/udp53 requests to the addresses of the malicious DNS servers to safe in house one. ISPs and corporations then could go through those logs with their own resources and contact those users / customers for a fix, instead of being allowed to just shift the cost of their security failure onto the tax payer as they have. Such organizations should be going after the estate of the perps for damages and eating the costs that cannot be recovered or forcing their insurers to do it.

This was just another abuse of the public.

Re:Stupid (1)

vlm (69642) | more than 2 years ago | (#39498357)

It would be trivial to NAT tcp53/udp53 requests to the addresses of the malicious DNS servers to safe in house one.

That doesn't scale very well on a "real network" although that works pretty well if you have one provider and one firewall (basically what you probably have at home but probably bigger). The "right" way to do it is have your BGP speaking routers advertise those specific routes, and one linux box with a bunch of virtual interfaces running bind, etc. Obviously you do not BGP advertise those routes to the general public unless you want the guys on the NANOG mailing list to laugh at you and your upstreams/peers to go all medieval on filtering your incoming routes (like next time you want to advertise a new route, demanding a signed LOA for the space before letting you advertise it ... I've had to do the "demand a signed LOA for the space from known company officer" in certain ... situations)

Re:Stupid (1)

DarkOx (621550) | more than 2 years ago | (#39498637)

I can see doing it via routes for ISPs who have many peers. I have never done a BGP implementation for anyone with more than three Internet gateways. Frankly I'd rather put few NAT rules on two or three gateways to make sure I have all the egress traffic covered than try to advertize a few /32s in BGP and either foul up or be fouled up by route summery.

Re:Stupid (2)

vlm (69642) | more than 2 years ago | (#39499375)

If you're doing BGP, you already have experience advertising your blocks... so just advertise someone elses blocks remember to forget to permit those blocks thru your border prefix lists... Rather than feeding a whole pop with that block you'll probably be feeding a vlan with one linux box with 256 virtual interfaces or whatever, and lots of logging to report anyone actually trying to use it for DNS. Your own level of BOFH decides if you put bind on it with a normal resolver, or redirect *.com to an internal informational page, or you look up their ip and suspend their kerberos password automatically (which leads to hilarious results during initial testing, and if an old statically configured laser printer is using that for DNS etc).

One place I'm aware of has a perl script that eats all their RANCID downloaded router configs and then outputs a "mistake file". Since its normally a pretty big mistake to advertise some space internally and forget to unfilter it at the border, this is one area where you have to be careful. Also if you have noobs on staff and they're all like "duh, senior wizard vlm is slippin', he's advertising 216.34.181.0/24 but he's filtered it at all the borders, let me help him out by unfiltering for him" well that's not going to end well...

Re:Stupid (0)

Anonymous Coward | more than 2 years ago | (#39498849)

At most they should have put up a special server that just pointed every A record request to webserver with page explaining that you have or have had some malware on your system and are vulnerable, some instructionss to fix your DNS and patch your box or call your Administrator for help.

There is more to the intertubes than web surfing.

Re:Stupid (1)

Qwertie (797303) | more than 2 years ago | (#39501467)

There is an alternative that doesn't suddenly take hundreds of thousands of computers off the internet: periodic denial of service. For two minutes every hour, on the hour, redirect all the most popular web domains to a HTTP server with a page with an FBI logo on it, explaining that you have the DNSChanger malware on your computer (or in your router) and that you must fix the problem or your internet will stop working completely in 4 months.

The goal is to inform users that their machine is compromised in such a way they can't ignore it, and won't mistake it for a problem at their ISP. There's no need to kick them off the internet (if you completely block their access to DNS, how can they perform the necessary research to clean up their machine or router?)

Re:Stupid (0)

Anonymous Coward | more than 2 years ago | (#39502403)

I was "shut down" by my ISP from the FBI's request due to a mistaken identification on their part to having the DNSChanger virus on my subnet.

Turns out I didn't have the virus, but a SPAM had arrived on my email server that tickled traffic to one of the domains in question, because my email server rather legitimately wanted to check to see if the domain existed.

BUT I'm majorly irritated because they informed me that I "had the virus" then summarily shut down my external DNS traffic, breaking my access to the net.

Re:Stupid (0)

Anonymous Coward | more than 2 years ago | (#39503535)

I have not bought into the argument about ISPs or corporate uses being effected severely either. Anyone effected by this [...]

The verb 'effected', as you use it, means 'created'. The word you want is 'affected', meaning 'impacted by'.

I suggest you either learn to use both the nouns and verbs of both affect and effect correctly (too hard) or join me in advancing my goal of replacing all four of these words with 'xffect'.

Captcha: common

I still disagree with the delays (5, Interesting)

Skapare (16644) | more than 2 years ago | (#39498141)

There should have been a period of time to do the notifications with the DNS running "normally". At the end of that (no extension), change the DNS servers so they return an IP for ALL domains that directs everything to a single page that tells them that their computers and/or network is infected, and they need to contact a security consultant, their ISP, or a specified contact at the FBI. After that time, the DNS should go dead (route those IPs into a blackhole). That all should have been overwith by now. There's no justification to delay further for stupid people.

Re:I still disagree with the delays (1)

Anonymous Coward | more than 2 years ago | (#39498333)

Ditto.

Who know what other malware/virus infections the computer may have. The prolonged extension does a dis-service to the infected machines. This is crazy.

Re:I still disagree with the delays (0)

Anonymous Coward | more than 2 years ago | (#39499109)

that directs everything to a single page that tells them that their computers and/or network is infected, and they need to contact a security consultant, their ISP, or a specified contact at the FBI.

Isn't this how so much malware gets on a computer? People see warnings and click willy nilly.

I've said it before (2)

WillgasM (1646719) | more than 2 years ago | (#39498181)

and I'll say it again. Why are we going though all this trouble? Just shut down the damn servers, or if you want to be nice redirect to a page explaining that they're infected. It takes me around 15 seconds to change my dns servers, but for some reason we need to drag this shit out til July.

Re:I've said it before (0)

Anonymous Coward | more than 2 years ago | (#39498399)

Sure, it takes *us* 15 seconds. How long would it take your grandma?

Re:I've said it before (0)

Anonymous Coward | more than 2 years ago | (#39498625)

Not long, because she's not a moron. She'd call me, follow my directions, and have it done in a few minutes. For families who owns computers but have nobody in the household who knows how to do it, they'll just have to pay somebody. It's their choice to either spend money on somebody else doing it or spend some time and effort to learn how to actually use a computer.

Grandma & DNS servers... apk (0)

Anonymous Coward | more than 2 years ago | (#39526333)

PERTINENT QUOTE I'VE LONG BEEN USING:

"(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)" FROM THIS VERY EXCHANGE HERE TODAY NO LESS -> http://it.slashdot.org/comments.pl?sid=2752399&cid=39524771 [slashdot.org] (and one I've long used in my security posts here, especially regarding hosts files vs. DNS alone)

* Complete with GUI level directions (vs. using .reg file merges &/or AD group policies via secpol.msc &/or gpedit.msc for Windows Active Directory networks))...

(Router level checks should also be included as well as OS level DNS settings for servers used... I recommend a few good ones for non-AD users in that post above, that actually ACTIVELY filter out known bad hosts-domains and even bad DNS servers too!)

APK

P.S.=> See my 'p.s.' there, because I rather STRONGLY imagine your directions mirror my own on this very note (& doing it in the registry is a simple .reg file merge to this area in the TCP/IP parameters settings, here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\DhcpNameServer

Using regedit.exe (or .reg file merges on user logon via logon scripts), & then making it READ ONLY to end-user workstation nodes & editable ONLY by the AD domain-wide admin level user(s) only... to stop reinfestation - once more, checking DNS information in any routers used is good to work in combination with this, also... apk

Re:I've said it before (0)

Anonymous Coward | more than 2 years ago | (#39498641)

15 seconds. She would ask me to do it...

Re:I've said it before (0)

Anonymous Coward | more than 2 years ago | (#39498453)

It takes me around 15 seconds to change my dns servers [...]

Okay, that's exactly where the problem is. See it yet? No? Well, let's go over that again.

It takes me around 15 seconds to change my dns servers [...]

That time I boldfaced the vital parts. Hopefully that implies the problem with your solution.

If not, the problem becomes deliciously ironic. Not everyone knows how to modify their DNS settings. In fact, MOST people don't know this offhand. And of those people, most of them WON'T do it, either, out of fear that they'll "break their internet". Not everyone is as l33t as you are and can't see these things you intrinsically just "know".

The irony being that if you couldn't figure this out by the time I pointed out the vital parts, you're one of those people, except in the field of basic social interactions instead of networking. And everyone else is derisively wondering why you're going through all this trouble.

Re:I've said it before (0)

Anonymous Coward | more than 2 years ago | (#39498685)

That and the malware would keep changing it back until it is removed.

AD level admin != READONLY (others are) (0)

Anonymous Coward | more than 2 years ago | (#39526551)

Does the malware have AD domain-wide admin rights? If not, and I doubt it does??

This would stop THAT, easily (see my p.s. @ the bottom of the link I post next):

http://it.slashdot.org/comments.pl?sid=2752399&cid=39526333 [slashdot.org]

* That'll stop the thing from working!

It's also as simple as .reg file merges of VALID DNS servers into an end-user workstation via logon scripts, for this area to be "set right":

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\DhcpNameServer

Then, also doing AD gpedit.msc + secpol.msc work @ an AD (active directory) wide level... I add in NortonDNS, OpenDNS, & ScrubIT DNS servers there in "triumvirate" layered-security + 'failover' zone-defense type thinking too, & mainly because those DNS, for stand-alone non-AD systems, actively FILTER vs. known bad hosts-domains AND BOGUS DNS SERVERS TOO!

Which then, you'd be making ONLY the domain level admin user group have rights to change that area (dhcpnameserver in TCP/IP parameters) in the OS, & router level goes without saying only admins should have the security clearances for that much as well!

APK

P.S.=> I showed how one can do it "grandma noob level end user" work via GUI to do the same, here, in this exchange also:

http://it.slashdot.org/comments.pl?sid=2752399&cid=39524771 [slashdot.org]

In its 'p.s.' section @ its termination as well... either way? It will STALL this thing, & then you remove the actual bogus ware or links that caused it (firewalling rules tables &/or HOSTS files can do the job there nicely)

... apk

Re:I've said it before (1)

WillgasM (1646719) | more than 2 years ago | (#39509923)

Here's a scenario: what if the malware had just set their DNS to loopback or something stupid like that. They would have immediately lost internet and had to fix it or call someone who could. They'll be in the exact same boat when these rogue servers get shut down. So what's different about this situation? This time the government is in a position to help. Like I said, I'm fine with that. Redirect to a landing page explaining the problem. Leave it up for a couple weeks to make sure everyone gets the message, then pull the plug. Frankly, that's more help than they deserve. These people got infected, and as a consequence they lose internet until they resolve the problem. They can figure it out themselves, ask their tech friend for help, or shell out the money to have a pro look at it. The point is, it's THEIR problem. We don't need a government agency wasting time and effort holding these people's hands. If you're gonna take a shit, learn to wipe your own ass or be prepared to pay royally for someone else to wipe for you.

They're doing it wrong. (1)

rdebath (884132) | more than 2 years ago | (#39499811)

Sure, they don't want to kill the internet connections of thousands (or millions) of people in one night, this will cause the odd serious problem.

But leaving some servers running perfectly isn't going to solve anything either. If everything is working fine these people are just going to leave it be; as they were told by the last guy who charged them to fix their machine last time!

The answer is actually very simple; leave the server running but make sure it's CRAP.

On day zero it works perfectly.
On day one just one percent of queries are given a serverfail.
On day two two percent are failed
By the end of the first week people will start to notice that their internet is getting crap.
By the end of the first month they will be asking around for help
By the end of the second month they'll be ready to pay for help
And finally, after just three months (and a week) the servers can be turned off, they're not doing anything anymore.

Have you checked your computer, router or modem? (0)

Anonymous Coward | more than 2 years ago | (#39500293)

If you actually RTFA, you will find this little checker for DNS Changer on your machine:
http://dns-ok.us/

This could use a bit more publicity.

The FBI's detectors of virus infection are broken (0)

Anonymous Coward | more than 2 years ago | (#39502601)

I was "shut down" by my ISP from the FBI's request due to a mistaken identification on their part to having the DNSChanger virus on my subnet.

Turns out I didn't have the virus, but a SPAM had arrived on my email server that tickled traffic to one of the domains in question, because my email server rather legitimately wanted to check to see if the domain existed.

BUT I'm majorly irritated because they informed me that I "had the virus" then summarily shut down my external DNS traffic, breaking my access to the net, without even giving me time to check to see what was going on.

Erich Boleyn

Re:The FBI's detectors of virus infection are brok (1)

Vernes (720223) | more than 2 years ago | (#39505989)

Sue. It's the only way to force your ISP to double check next time. Make it too expensive for them to be lazy.

As per my usual? Clean as a whistle here! How? (0)

Anonymous Coward | more than 2 years ago | (#39524771)

Simple: This -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com]

(Just by using the principles of "layered-security"/"defense-in-depth" AND educating users... they are the "weakest link"!)

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60 [theplanet.com]

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)

HOWEVER - There's ONLY 1 WEAKNESS TO IT: Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... King's Joker above tends to "2nd that motion" (& there is NOTHING I can do about that! Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS helps -> http://nortondns.com/ [nortondns.com] ...

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

I also do extra "layered security" work above Norton DNS/OpenDNS/ScrubIT DNS too, in HOSTS files usage, that layer on to that!

AND, HOSTS files are COMPLETELY under MY personal control as well, for better speed, security, & even "anonymity" to a degree (vs DNSBL of all things) here..

In fact, my HOSTS file here has well over 1.5 million entries worth vs. adbanners (because they have had malicious code in them @ times since 2004), bogus DNS Servers, botnet C&C servers, & known maliciously scripted websites + servers/hosts-domains that are KNOWN to serve up malware.

(I, and my friends + family that use it, along with Norton DNS/OpenDNS/ScrubIT DNS? Haven't been infected ONCE, since 1996!)

See testimonials above in addition to my own, & I can produce others easily on request from other forums where my guide is (as well as mvps.org & many others that produce HOSTS files), and here are others from /. no less, testifying to the same:

* TO GET RID OF THIS ONE? SHOULD BE "CAKE", see below... I've posted this here before on DNSChanger... & yes, it works.

APK

P.S.=> To get rid of DNSChanger is even simpler for a competent network administrator, like so:

Check the IP settings for DNS in Windows, 1st, here in your "Local Area Connection"'s properties:

Internet Protocol Version 4 (TCP/IP v4) properties
Use the following DNS server addresses
Advanced Button
DNS tab (on next popup screen)
Add in good ones noted above (Norton DNS, OpenDNS, ScrubIT DNS or other valid ones that DO filter for security vs. KNOWN BAD HOSTS-DOMAINS)
Edit out any bad ones (associated with THIS malware or others)

(This can all be easily automated too, and can secure users @ logon via logon script .reg file merges of what the GUI version of above shows you how to do it anyhow graphically... then, make it READ ONLY to end-users workstation nodes, via ACL (access control lists alterations/edits) and WRITEABLE ONLY BY THE ACTIVE DIRECTORY LEVEL ADMINISTRATOR!)

This readonly access can be done quickly LAN/'WAN wide also via group policy &/or security policies as well as what I noted above, step-by-step. It works...

DONE!

... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>