[nsp-sec] The DNS Changer Take Down - Please check your flows ....

Barry Greene bgreene at senki.org
Wed Nov 9 16:33:30 EST 2011 

Hello Everyone,

SITREP
---------

If you have not seen it, there is a major taken down in works. The "DNS Changer" crew that has been hijacking your customer's DNS configs have been arrested, infrastructure seized, and a major data center shutdown. 

http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

This is a criminal crew who would install malware on PCs and MACs, change the DNS, and try to reconfigure the home gateway router's DNS. They would point the DNS config to DNS resolvers in these address blocks (see below) and use it for their criminal enterprise. 

85.255.112.0 through 85.255.127.255 
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

What has happened?
--------------------------

As part of the operation, clean DNS resolvers under the control of the investigative team have replaced the criminal's DNS resolvers. All of your customers who might be infected are now going to clean DNS resolvers . Your customers might still be infected, but at lest they are not going to rouge DNS server of having their DNS service stopped.

This "DNS resolver replacement" was done to prevent customer's DNS breaking and having a surge of help deck calls. 

All these netblocks are locked down at the RIRs (ARIN and RIPE). You will now see things like this:

remarks:         ################################################
remarks:         #Based on an order from the Dutch authorities #
remarks:         #changes to this record are not possible from #
remarks:         #8 November 2011 till 22 March 2012      #
remarks:         ################################################

All these netblocks are advertised as /24s to minimize hijacking by the bad guys.


What is Next?
----------------

1. Remediation. The industry is now working on remediation (cleaning up the malware). We're asking everyone to work to clean this malware from their customers and users. 

Logs from the clean DNS resolvers with the Source/Destination IP address, ports, and time stamps are being feed to groups like Shadowserver.org, Team CYMRU, and other groups. The list is feed into an SIE incident channel (SIE = Security Information Exchange - peering for security information).  

Please check with whom ever you get your list of infected computers. Have them contact me if they are not getting the list. 

2. Tools to Clean Up Infections. Analysis of the infected computers show that they have multiple infections with a boot sector infections. Unfortunately, this is not an ease "just use this tool to clean it up." The anti-malware community might be able to come up with a better tool over the next week. Please work with your anti-malware team. 

3. Monitoring. If you have the ability, please fire up Netflow and see what your customers are doing to those netblocks. It might be a way to find more of the C&C and shutdown cyber-criminal infrastructure. If you see something, please shout out on NSP-SEC. There are people on the investigative team on NSP-SEC who will help get the information into the hands of people who seize the boxes. 

Questions?
--------------

There are people on the take down team on NSP-SEC. Please ask questions to NSP-SEC. We'll all jump in to help. 

Thanks,

Barry

More information about the nsp-security mailing list