Protecting the “Home” Router
Protecting the “home” router is essential to the security of the Internet. We now have wave after wave of attacks that penetrate, abuse, and break into home routers that connect individuals, families, and small businesses. The DNS Changer Working Group (DCWG) was created to help remediate Rove Digital’s malicious DNS servers. DCWG highlighted the value threat actors can obtain by taking over the home router, CPE, and network devices. The DCWG site is now focused on communicating Best Common Practices (BCPs), checklist, guides, and news to help secure these devices. The content is focused on all people, families, small businesses, ISPs, and broadband companies.
About the Original DNS Changer Working Group (DCWG)
The DNS Changer Working Group (DCWG) was created to help remediate Rove Digital’s malicious DNS servers. The DCWG helps monitor DNS servers run by ISC, under court order, in the former Rove Digital colo space.
The DCWG is an ad hoc group of subject matter experts and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.
You can read more about the arrest of the Rove Digital FBI Press Release and Operation Ghost Click – International Cyber Ring That Infected Millions of Computers Dismantled. This page is hosted at the Georgia Institute of Technology, under a research grant provided by the Office of Naval Research.
How to validate the legitimacy of the DCWG Site?
Many of these original DCWG sites are now depreciated or removed. This list is maintained to provide a historical reference. The simplest way to validate the DCWG is to go to one of the FBI articles about this activity that references the DNS Changer Working group:
- Operation Ghost Click – http://www.fbi.gov/news/stories/2011/november/malware_110911
Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business – http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business
- FBI’s ” Check to See if Your Computer is Using Rogue DNS” – https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS (uses the same “are you infected infrastructure”).
The second way to validate DCWG is by checking a large number of Internet Service Providers (ISPs) and National CSIRT Teams who are participating with the campaign to clean up the DNS Changer infection.
Organizations participating with the DNS Changer Clean up Operation
Select the hyperlinked “Maintainers” to see which National CSIRT or Security Group is supporting the “are you infected” site.
|www.dns-ok.us||English||DNS Changer Working Group (DCWG)|
|www.dns-ok.de||German||Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)|
|www.dns-ok.fi||Finnish, Swedish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.ax||Swedish, Finnish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.be||Dutch/French||CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.|
|www.dns-ok.fr||French||Le CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.|
|www.dns-ok.ca||English/French||Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)|
|www.dns-ok.lu||English||CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg|
|www.dns-ok.nl||Dutch (Obsolete)||SIDN (the Foundation for Internet Domain Registration in the Netherlands)|
|dns-ok.gov.au||English||CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information|
|dns-changer.eu||German, Spanish, English||ECO (Association of the German Internet Industry)|
|dnschanger.detect.my||Malaysian, English||Hosted by CyberSecurity Malaysia and MYCERT|
|dns-ok.jpcert.or.jp||Japanese||JPCERT/CC - Japan Computer Emergency Response Team Coordination Center|
|www.dns-ok.it||Italiano||Telecom Italia Security Operation Center - IT.TS.SOC|
Internet Service Providers actively participating with DNS Changer Clean up Operation
|AT&T||AT&T DNS Changer information page for Home and Business Customers and 8 Suggestions for Mitigating and Preventing DNSChanger Malware in your Enterprise - What Can Help You Avoid Being a Victim|
|Bell Canada||Important information about DNS Changer malware|
|CenturyLink||CenturyLink DNSChanger Customer Notice|
|Comcast||DNS Changer Bot FAQ|
|COX||COX DnsChanger Malware Information|
|Shaw Communications||Shaw Virus Protection|
|Telecom Italia||Assistenza Tecnica per DNS Changer Malware|
|Time Warner Cable & RoadRunner||Time Warner Cable & Roadrunner Website for DNS Changer Malware|
|Verizon||Verizon's Virus Help Website for DNS Changer Malware|
Note: If your ISP is not on the list, please ask them to contact the DCWG. We welcome participation.
You can contact the DCWG by sending email to [email protected]