In the news….. The FBI will be losing their court granted hold over the DNS servers in March and they are planning to make them “go dark”. Rather than changing their green lights sabers to red, this will cause any machine still looking to them for IPs to lose their internet connectivity.
Our detections for this threat are called Zlob and Tidserv. Tidserv can be very difficult to remove. If you should discover a machine where we detected it but the log says we were not able to completely remove it you should run Norton version of Power Eraser, so you can be sure to check all the accounts.
Symantec Security Response’s current recommendation:
Monitor your network for the bad DNS IPs, using that to identify any infected clients we may have missed with SEP. If you can re-route traffic, you can reroute these machines to a legitimate DNS server. Regardless, we recommend taking our repair tool to each of these machine and using it to clean them.