1. DNSChanger マルウェア

感染するとDNS(キャッシュ)サーバ設定を書き換えられて、フィッシングサイトに連れ込まれます。

Google 検索すると上部に感染警告が表示されるようになったそうです。

1.1. FBI リンク

Home • Check to See if Your Computer is Using Rogue DNS

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

検査のためのアクセス(us) http://www.dns-ok.us/


FBI の dns-changer-malware.pdf より

1.2. Am I Infected?

The best way to determine if your computer or SOHO router has been affected by DNSChanger is
to have them evaluated by a computer professional.
プロに頼むのが一番いいが、自分でもやれることが以下にある。

However, the following steps can help you gather information 
before consulting a computer professional.

To determine if a computer is using rogue DNS servers,
it is necessary to check the DNS server settings on the computer. 
(1) コンピュータのDNS設定を調べること。

If the computer is connected to a wireless access point or router, 
the settings on those devices should be checked as well.
(2) アクセスポイントやルータの設定も調べること。

1.3. Rogue DNS Servers

以下の範囲を指定していたら、汚染されている。

85.255.112.0 --- 85.255.127.255        [85.255.112.0/20]
67.210.0.0 --- 67.210.15.255               [67.210.0.0/20]
93.188.160.0 --- 93.188.167.255        [93.188.160.0/21]
77.67.83.0 --- 77.67.83.255                 [77.67.83.0/24]
213.109.64.0 --- 213.109.79.255        [213.109.64.0/20]
64.28.176.0 --- 64.28.191.255             [64.28.176.0/20]

1.4. Checking the Router

Small office/home office routers connect your network of computers and devices to your Internet service provider. The SOHO router may have been purchased and installed by you or installed by your ISP. Linksys, D-Link, Netgear, and Cisco are common SOHO router brands, but there are many others.

DNSChanger malware は SOHOルータの設定も変更する機能をもつ。

The DNSChanger malware is capable of changing the DNS server settings within SOHO
routers that have the default username and password provided by the manufacturer. 
If you did not change the default password at the time the SOHO router was installed,
you must check the SOHO router settings.

The procedure to access your SOHO router setting varies by manufacturer, so consult your product documentation.

Once you have access to the SOHO router configuration, compare the DNS servers listed to those in the rogue DNS servers table above.

If your SOHO router is configured to use one or more of the rogue DNS servers, a computer on your network may be infected with DNSChanger malware.


1.5. JPCERT

https://www.jpcert.or.jp/pr/2012/pr120002.html

※運用期間は、2012年5月22日~2012年7月9日を予定しています 

不正な DNS サーバを参照していないかで ...

とありますが、これは正しくない。

1.6. Google

http://googleonlinesecurity.blogspot.jp/2012/05/notifying-users-affected-by-dnschanger.html

http://itpro.nikkeibp.co.jp/article/NEWS/20120524/398741/

CNETによると

"The warning will be at the top of the search results page for regular searches and image searches and news searches," Google security engineer Damian Menscher told CNET this morning. 
"The text will say, 'Your computer appears to be infected,'
 and it will give additional detail warning them that they may not be able to connect to the Internet in the future." 

1.7. dns-ok.qmail.jp

qmail.jp でも検査します。http://dns-ok.qmail.jp

-- ToshinoriMaeno 2012-05-24 10:57:43

こういう警告がでるひとは、対応してください。

1.8. dns-ok.us

http://www.dns-ok.us/images/388px-Shared_IP.svg.png