29 Feb 2012

FBI Will Shutdown DNSChanger Name Servers On March 8 (Operation Ghost Click)

FBI Will Shutdown DNSChanger Name Servers On March 8 (Operation Ghost Click)
It is widely known to all that the FBI will shut down the DNSChanger name servers on the 8th March, so it can be expected that the Internet connection of many users over the whole spectrum will be hampered during this operation because the trojan named DNSChanger has occupied millions of computers in more than 100 countries. FBI has planned the whole stuff earlier in November 2011 & it was named Operation Ghost Click. What many people do not know is that the clean DNS servers which are operated by the Internet Systems Consortium (ISC) and used to replace the rogues will be shut down on March 8, 2012.[1] From the start, the US District Court for the Southern District of New York permitted the ISC to operate these servers for a period of 120 days.[1]  However, on February 17, 2012 the US government requested this deadline be extended to July 9, 2012.[2]
Barring an extension from the FBI, those systems still infected with DNSChanger will cease receiving DNS services from the ISC controlled name servers on this date.  In other words, they will not be able to properly access internet resources.  This gives information security professionals less than two weeks to detect, locate and remediate any systems on their networks that are still infected. The DNSChanger Working Group (DCWG) estimates there are still approximately 450,000 systems still infected as of January 28, 2012.[3]  Other statistics show that DNSChanger may be present in half of the Fortune 500 companies as well as at least 27 government organizations.[4,5,6] In early February 2012 Internet Identity disclosed there were 3 million systems still infected globally.[5,6]  This is a relatively small number of systems when compared to other virus outbreaks.  Regardless it represents a challenge to security professionals. This can be a substantial undertaking for large enterprises.  The nature of DNSChanger was to redirect infected systems to malicious destinations.  Many of these sites in turn installed additional malware.  By finding a DNSChanger infected system you will be finding a system that has additional infections.[7]  This should justify the need for a thorough sweep for DNSChanger infections. Luckily there are many resources available to detect and remediate DNSChanger infections.  The easiest way is to utilize a network monitoring tool to isolate DNS traffic to the ISC operated DNS resolvers.
The Offending Netblocks Are:[1,8]:-
85.255.112.0/20 (85.255.112.0 through 85.255.127.255)
67.210.0.0/20 (67.210.0.0 through 67.210.15.255)
93.188.160.0/21 (93.188.160.0 through 93.188.167.255)
77.67.83.0/24 (77.67.83.0 through 77.67.83.255)
213.109.64.0/20 (213.109.64.0 through 213.109.79.255)
64.28.176.0/20 (64.28.176.0 through 64.28.191.255)

FBI has published a paper with instructions on how to detect DNSChanger on individual systems.


-Source (FBI, Infosec Island)