Wednesday, March 28, 2012

DNS Changer: Countdown clock reset, but still ticking

Operation Ghost Click

Last November, the main website headline was "DNS Malware: Is Your Computer Infected?". The story detailed the arrest of six Estonian criminals who had infected more than 4 million computers with malware that changed Domain Name Server settings on the impacted computers. The impact of this change was that when a user typed an address in their web browser, or even followed a link on the web page, instead of asking their Internet Service Provider's DNS server where they should go to reach the computer that had that name, they would ask a DNS server run by the criminals.

Most of the time, the traffic still went to the correct address. But at any time of the criminals' choosing, they could replace any website with content created or provided by the criminals. This allowed them to do things like place an advertisement for an illegal pharmaceutical website selling Viagra on a website that should have been showing an advertisement paid for by a legitimate advertiser.

The case, called "Operation Ghost Click" was the result of many security professionals and researchers working together with law enforcement to build a coordinated view of the threat. The University of Alabama at Birmingham was among those thanked on the FBI website.

DNS Servers and ISC

This case had one HUGE technical problem. If the criminals' computers were siezed and turned off, all of the four million computers that were relying on those computer to "find things" on the Internet by resolving domain names to numeric IP addresses for them would fail. They wouldn't just "default back" to some pre-infection DNS setting, they would just stop being able to use the Internet at all until someone with some tech-savvy fixed the DNS settings on those computers.

Because of this, the court order did something unprecedented. Paul Vixie, from the Internet Systems Consorium, a tiny non-profit in California that helps to keep name services working right for the entire world, was contracted to REPLACE the criminals' DNS Servers with ISC DNS Servers that would give the right answer to any DNS queries they received. Vixie wrote about his experience with this operation in the CircleID blog on Internet Infrastructure on March 27th.

The problem, as Vixie, and other security researchers such as Brian Krebs, have related is that the court order was supposed to be a temporary measure, just until the Department of Justice managed to get everyone's DNS settings set back the way they were supposed to be. Back in November, the court decided March 9th would be a good day to turn off the ISC DNS servers.

But are you STILL infected?

Unfortunately, the vast majority of the 4 million compromised computers have not been fixed. On March 8th the court agreed to give them an extension until July 9th. (Krebs has a copy of the court order here)

But how do you know if YOU are still infected?


When I visit the website "DNS-OK.US" I get a green background on the image (shown above) which tells me that my computer is not using a DNS server address that formerly belonged to an Estonian cybercriminal. (The website is available in several other languages as well.)

The tech behind this is that the website is checking to see if you resolve your DNS by using an IP address in the following ranges: - - - - - -

If you ARE, then you need to assign a NEW DNS SERVER ADDRESS.

The DNS Changer Working Group has a CHECKUP page and a DNS CLEANUP page to explain this process to technical people. Any "computer savvy" person should be able to follow their guidelines to get the job done.

Good luck!

Gary Warner
Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham.
Learn more about our Masters Degree in Computer Forensics and Security Management.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.