
How the most massive botnet scam ever made millions for Estonian hackers - evo_9
http://arstechnica.com/tech-policy/news/2011/11/how-the-most-massive-botnet-scam-ever-made-millions-for-estonian-hackers.ars
======
pasbesoin
The linked FBI page

[https://forms.fbi.gov/check-to-see-if-your-computer-is-
using...](https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-
DNS)

in turn links to this FBI hosted document (I've wrapped it in a Google Docs
viewer link for convenience):

[http://docs.google.com/gview?url=http%3A%2F%2Fwww.fbi.gov%2F...](http://docs.google.com/gview?url=http%3A%2F%2Fwww.fbi.gov%2Fnews%2Fstories%2F2011%2Fnovember%2Fmalware_110911%2Fdns-
changer-malware.pdfis-using-rogue-DNS)

The second link is probably the simplest thing to provide you less technical
family and friends, that offers both explanation and instructions for checking
for compromise -- instructions that don't involve hitting an FBI test page,
BTW.

Note also this section from the cited FBI-hosted PDF:

 _Second, it attempts to access devices on the victim’s small office/home
office (SOHO) network that run a dynamic host configuration protocol (DHCP)
server (eg. a router or home gateway). The malware attempts to access these
devices using common default usernames and passwords and, if successful,
changes the DNS servers these devices use from the ISP’s good DNS servers to
rogue DNS servers operated by the criminals. This is a change that may impact
all computers on the SOHO network, even if those computers are not infected
with the malware._

P.S. I will add that I am really impressed with the clarity, usefulness, and
understanding of the target audience that manifests in the PDF instructions.
Every time someone "bitches" about "government workers", I wish to point them
to examples like this. While I remain suspicious of "Big Brother" government
particularly with respect to selling out to moneyed, entrenched interests and
a self-serving political elite, there are plenty of career employees
generating lots of good work. (I suppose this document could have been written
by a consultant -- if so, at least someone hired a good one. If you look at
the PDF's properties, an author name actually shows. I didn't look into this.)

