Story

DNSChanger and the FBI’s internet blackout on 8 March

 For several days the news circulating on internet on the planned blackout of Internet for million of users on 8 March decided by FBI to deal with cyber threats. The enemy to fight is named DNSChanger Trojan, a malware that has infected milion of computers all over the world in more than 100 countries. The story begins last year when in Estonia was arrested a group of person accused of having developed the dreaded trojan that seems to be able to spread with surprising ease.

What does the DNS Changer Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet. Under a court order, expiring March 8, the Internet Systems Corporation is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

To counter the threat the Federal Bureau of Investigation may shutdown several DNS (domain name servers) on March 8, with the undesirable side effect of blocking millions from using the Internet.  DNSChanger is able to change inside the infected system the DNS settings hijacking web traffic to unwanted and infected sites. DNS translates domain names into the numeric IP addresses and lets users reach desidered websites, Windows and Mac OS X users are both vulnerable to this malware because it exploits the browser, not the operating system.  A self-check of any PC can be easly done to make sure it is not infected. Comparing DNS setting to the list of rogue DNS servers it is possible to discover the infection.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.25
 
The FBI has published a pretty decent guide to performing the self-check here. If you are infected by the DNSChanger Trojan, the FBI reminds us that this malware also disables security updates which could have further exposed you to other malware.

The measure is necessary because many organizations still have not removed the DNSChanger Trojan from infected systems, despite the fact that the botnet's command-and-control infrastructure has been under the Federal Bureau of Investigation's control for the past few months. The situation is curious because once discovered the cyber crime the FBI to give businesses and private individuals affected by DNSChanger time to cleanse infected systems has replaced the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. Replacing the command server the feds have prevented the worm propagation. The FBI took over the botnet's command-and-control (C&C) servers in November as part of Operation Ghost Click.

The surrogate architecture used for the botnet takedown will operate until March 8, 2012 according the FBI court decision. To avoid the blackout of the surrogate servers is needed that the court extends the order to take in place the substituded structures, in this way any computers still infected may be able to browse the web.

To get an idea of ​​the prevalence of the malware according to the declaration of the cyber journalist Brian Krebs, Internet Identity believes DNSChanger infected "half of all Fortune 500 firms, and 27 out of 55 major government entities."

But wow many people are infected?

To meet the threat was also set up a special task force to provide support for private companies and were given the necessary instructions to the removal of malware on the site DCWG.org.  There's no guarantee that the decision to extend the operation of surrogate servers would facilitate the global immunization.

While the shutdown may be a "bit of a shock" to the victims, it would ultimately be a good thing, Chester Wisniewski, senior security advisor at Sophos Canada, wrote on the Naked Security blog. "You can't survive cancer by not getting tested. Keeping your machines infected so you can surf is not likely the best strategy," Wisniewski said.

While the shutdown may appears as an excessive measure to the victims, it would be the right thing to do. Chester Wisniewski, senior security advisor at Sophos, wrote on the Naked Security blog. "You can't survive cancer by not getting tested. Keeping your machines infected so you can surf is not likely the best strategy," ... I totaly agree.

Pierluigi Paganini

References

http://securityaffairs.co/wordpress/2682/malware/dnschanger-and-legal-consequences-of-operation-ghost-click.html