10

Back in late 2011 the FBI dismantled a large and sophisticated internet fraud ring behind the DNSChanger virus/malware. Part of this malware involved directing victim's DNS requests to rogue servers controlled by the malware authors.

After arresting the perpetrators the FBI and ISC set up "clean" DNS servers to replace the rogue servers used by the malware authors. These servers are scheduled to cease operation on July 9, 2012.

There are plenty of articles, mainly this one that caught my attention. Honestly, I have never heard anything about this until this morning when my boss asked me to "prepare" something for our co-workers to keep them on the up-and-up.

First and foremost, has anyone else heard about this and should I be worried? The DNS at my work environment is not in the range of effected Rogue DNS, but that's not saying mine at home or any of my colleagues might be.

Second, how should I go about "preparing" to make sure everything is safe and functioning like it should be come July 9?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
C-dizzle
  • 243
  • 1
  • 7
  • Bit late to start worrying about this one now... it's a bit like starting your Y2K efforts at Christmas '99. – womble Jul 06 '12 at 18:43
  • True, but it wasn't me worrying about it lol, it was my boss. – C-dizzle Jul 06 '12 at 18:54
  • Why wasn't this on your radar months ago? It's only been on-going for 7 months, with plenty of discussion in the places where professional sysadmins discuss such things. NANOG's been discussing it nearly non-stop. – womble Jul 06 '12 at 18:56
  • @womble why didn't the FBI just have their DNS servers report back "fake" records for all sites directing infected users to a page with information about the malware, with instructions to change it back? Normally I despise when DNS providers do things like this, but it seems like this would be an acceptable exception. – Tom Marthenal Jul 10 '12 at 19:02
  • @TomMarthenal: There are some portions of the Internet that are not HTTP traffic. – womble Jul 10 '12 at 20:49
  • @womble it still seems like that would be a better solution than just turning off the servers. If my email stopped working, I'd probably open a web browser eventually to try to diagnose the problem. Plus, some of the latest OSes (win7, iOS at least) try to detect authentication pages (like on hotel WiFi). They'd probably pick this up and alert the user that they need to authenticate, where they'd then see the notice from the FBI. By just turning them off, a lot of users who are bad with technology will have no idea what's going on or how to fix it. – Tom Marthenal Jul 10 '12 at 23:41
  • @TomMarthenal: As per [this message to NANOG](http://mailman.nanog.org/pipermail/nanog/2012-July/050051.html), "Unfortunately, taking either of those actions would have exceeded the authorization of the court order.". At the end of the day, this has been running for 7 months -- they could have just let the netblocks go dark immediately if they wanted. It is not the responsibility of the FBI, ISC, or anyone else involved in in no way the FBI or ISC's responsibility to let infected machines continue to pollute the Internet for all eternity. – womble Jul 10 '12 at 23:58

2 Answers2

13

It's not your DNS servers that you would have to worry about. It's the client machines that got infected by this malware.

Basically what happened was that when the FBI arrested the authors of the virus they took control of the DNS servers that they where running. Now, they can't run them forever using tax payer's money and they are on a limited amount of time due to the court order that was issued.

On your end you need to make sure that your client machines are not infected with virus.

There is a lot of good info on the FBI Operation Ghost Click website

Zypher
  • 37,405
  • 5
  • 53
  • 95
6

In addition to what Zypher mentioned, you may also want to check out ISC's blog post about this, and the DNS Changer Working Group website which is specifically devoted to this mess.

In particular, the ISC site mentions the following re: how to detect if your systems are affected:

Is your DNS OK?
A half dozen national Internet security teams around the world have created special web sites that will display a warning message to potential victims of the DNS Changer infection.
For example if you visit http://dns-ok.de/ then you’ll get a German language page saying either that you appear to be infected or that you appear not to be infected. Andrew Fried and I created http://dns-ok.us/ for the same purpose, though of course our page is in American English.
The full list of these “DNS Checking” web sites is published on the DCWG’s web site along with a lot of information about the threat, the arrests, the takedown, the court orders, and clean-up information for victims. Now that we’ve got all these web sites that are able to tell someone if they are a victim and that tell victims what to do to clean up their computers and their home routers, the problem seems to be getting people to care.

voretaq7
  • 79,879
  • 17
  • 130
  • 214