this information has been given by Arbor Networks, thanks
this information are the Belgian IP Addresses that contacted the new clean DNS servers from the ISC that intercept all the traffic to the malicious dns servers from the Estonian gang
these are only the IP addresses that were infected by the software-malware that was installed by this gang and not by any other variant that has gone out since
the FBI has together with a group of private and public american and international institutions, groups and enterprises stopped the operation after a 2 year investigation
These Belgian IP addresses ARE infected with this botnet and need to be cleaned and secured again.
What is the virus
Instead of infecting your machine with a virus who tries to visit itself a website or server they only change the dns of your machine so that you will never detect that you were infected (if nothing else is being installed). Some variants also left a mark because they disabled the antivirus on the machines.
The dns is one of the most important aspects of the internet because it changes the number of the server on which you are (the IP address) into the domainname we all know and type. Imagine that you would have to type in a telephone number in your phone but a name and that the phone would connect to a server and would itself search for the telephone number(s). As servers change often and as website also change from location it would otherwise be impossible to 'surf' the net.
The dns is for this reason mentioned in the characteristics of your pc, your router and your network. It can be changed at any place except for the server that is authoritative (trusted) for this domain.
Why this virus
It is clear from the description that this is the best way for the underworld to make much money on an industrial scale without having to invest much money in vulnerabilities and changing servers and so on. In fact if you want your victims to go to another server and download or click something, than you only have to change it in your dns server. This is also the case with the poisoning of the dns server in which the results for a site (for example the ip address for ebay.be is a server in Russia and not in the US) but as dns servers become better defended and monitored this has become harder.
Who can get this virus
One thing that is clear from this virus is that it has been adapted. It works on Macintosh, linux, windows and on routers (homerouters or networkrouters). THe only thing it wants to change is redirecting all the internettraffic through its own malicious dns servers.
How can I control if I was infected
If you were online the 28th of november and you aren't in this list, than that is a good sign
You can also check online with the FBI database
If you are infected, the FBI is looking for victims for its courtcase against these cybercrooks (who made 14 million dollars over 2 years)
https://forms.fbi.gov/dnsmalware looking for victims
The malicious dns ranges are these
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
You can find them with the following operations on your machine (for your routers at home and in the enterprise you should look in the documentation).
For networks we would advise you to put these ranges in your dns rule as blocked and logged so you can see if any machine in your network has been infected. THe best policy is to divert all your dns traffic to an internal dns server who will forward all the external dns traffic to some other defined external dns servers. Bad dns traffic should be logged or send to the firewall for closer examination.
It is also not a bad idea to install wireshark or another network traffic monitoring and to look for infections. Posts that are infected will probably also be infected with other malware or botnets.
check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field.
check DNS settings on a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
check DNS settings on a Linux: cat /etc/resolv.conf.
How to clean it
For Macintosh you have this Free tool
For windows there are a bunch of free antivirus tools like avast and avg that will do the job. if you install a firewall you make also a rule excluding
The Belgian list of infected IP addresses 28th of November
the Ip addresses in excell were a bit of a hassle sometimes but you only have to see it as an ip address (leaving the ,00 out at the end)
the easiest format to download is excell
DNS Changer List Ip