FBI's “Operation Ghost Click” was discussed earlier by my colleague Kurt here and here and now it comes to an end.

Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines – one can wonder, what will happen to them?

Computers in the internet have their own address – the IP-address. There are two versions:

• IPv4 which is a 32-bit address e.g. 195.122.169.23 and
• IPv6 which is a 128-bit address e.g. 2001:db8:85a3:8d3:1319:8a2e:370:7347

You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.

The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release

The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.

Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.

This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.

Of course, if you know the address of the server you can still use it instead of the name e.g. 195.122.169.23 is “securelist.com” but this is not easy solution.

We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple – read below for more.

First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.

The good news is that the infections were blocked and the number of infection attempts is going down.

For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.

So, how to check if you are infected with DNSChanger?

The DNS Changer Working Group provides helpful information on their website – unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.

If you are infected, you can change your DNS entries to the free DNS-Servers from Google: 8.8.8.8 and 8.8.4.4. OpenDNS also offers two: 208.67.222.222 and 208.67.220.220, which we also recommend for additional security features.

The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.

Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection

Apple has released MacOS X 10.6.7 with several bugfixes and security-patches. This patch bundle also includes a silent update to Apple‘s built-in Xprotect anti-virus functionality.

Xprotect
With the release of Snow Leopard (Mac OS X 10.6) Apple introduced a basic antivirus protection called „XProtect“. It scans and detect threats when files are downloaded through Safari, Mail, iChat, Firefox and a few more and afterwards executed. The Signature-List is updated via Apples Software Update.

Till now Xprotects database contained signatures for three well-known threats:
- OSX.RSPlug.A: changes local DNS-entries, came through fake video-codecs
- OSX.Iservice: attacks websites (DDoS), came bundled with pirated applications
- OSX.HellRTS: known as HellRaiser, tool which gives the attacker full access ofver the victims system. Version 4.2 public available, version 4.4 sold for 15$ by the creator in underground forums.

A lot of tools and services change hands - for money - in the criminal underground. For example bot-packs are offered by the creator or his business partners for a defined amount of money. The customer gets a package with all needed files and additional support, like updates against anti-virus detection. Mostly there are different levels of support the customer can subscribe to.

But all is not perfect even in the criminal world.

In February this year an individual who names himself “Till7” started offering his new web panel Bot called “v0id Bot”. The official distributor - named “3lite” -started to offer this bot-pack in underground forums.

The bot itself is written in VisualBasic.Net and comes with a php-based Web-Panel offering several features:

• Visiting a specified website


• Downloading and executing a file from a specified website


• Email spamming/ bombing functions,


• Credential Stealer (for DynDNS, Filezilla and others)


• HTTP and UDP flooding

C&C URL

In addition to Trojans and Worms, Twitter seems to also be a good platform for distributing rogue security solutions. The latest example of this is a program called "MalwareRemovalBot" which we detect as "not-a-virus:FraudTool.Win32.MalwareRomovalBot.e".

The link in the tweets leads to the 'vendor' site - and nearly every link here leads to the download.

The downloaded filename varies - "setup.exe", "setupxv.exe" or "setup-trial.exe". It's a UPX-compressed Windows PE-executable.

There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam.

Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'.

We detect the malware as Trojan-Downloader.Win32.CodecPack.iow

We are currently witnessing a new wave of Koobface messages flooding twitter. The message that is mostly used right now is: "My home video :) <URL>"

The link in infected tweets points to a site with a little javascript.

The script calls a php-script on a server which uses an ID to return an IP address leading to the video site. This means the IP address is different for every request.

Interestingly, the guys behind this attack are clearly out to maximize their ROI: if you're using Mac or Linux, you end up getting redirected to an adult site.

Twitter is saying it may block infected accounts. We're doing our part as well - our users are already protected from the malicious file:

And we've also added protection against the malicious tweet itself, which will be detected as Net-Worm.Win32.Koobface.aqy as updates are rolled out to our users.