Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNSChanger resolver shutdown deadline is March 8th

Published: 2012-02-20
Last Updated: 2012-02-20 23:05:35 UTC
by Rick Wanner (Version: 1)
2 comment(s)

The ISC has written a number of diaries about DNSChanger in the past, including this excellent diary by a number of ISC Handlers, so I am not going to rehash the history.

With the FBI's March 8th deadline for disabling the DNSChanger resolvers rapidly approaching, the predictable fearmongering is beginning in the blogosphere and the regular press. Rest assured that DNSChanger infected a relatively small number of computers compared to most infections, and turning off the temporary resolvers will barely be blip on the Internet. There are some suggestions that the FBI may extend this deadline to permit companies to complete their cleanup. Frankly I am on the fence about whether or not an extension is a good idea.  I certainly don't want to entertain the possibility that the companies that I do business with, and entrust my personal information to, may take more than 4 months to cleanup a known malware infection.

The fact is that DNSChanger has provided us a rare opportunity.  DNSChanger itself never reached its full potential because of the FBI's intervention, but analysis of DNSChanger infected computers has revealed that computers infected with DNSChanger are nearly always infected with a range of other malware including malware that disables automatic updates and antivirus products.  Others have been found with credential stealing Trojans and rootkits. Certainly the detection of this sort of malware should result in immediately taking the computer off the network and rebuilding it.

The symptoms of a DNSChanger malware infection are relatively easy to detect. From shortly after the FBI's Operation Ghost Click was revealed, the DNSChanger Working Group (DCWG) provided instructions on how to determine if your computer is infected, and shadowserver.org has made reports available which permit anyone who owns their own address space to reliably detect the presence of DNSChanger infections, and by extension associated malware.

In the last month or so another way of detecting DNSChanger infected computers has been made available.  Several countries have launched eyechart sites which will tell you if the machine you are on is infected with malware. For the most part these sites follow the pattern of dns-ok.CC where CC is the country code of the hosting country.  Some that are available are dns-ok.us (U.S.), dns-ok.ca (Canada), dns-ok.de (Germany), dns-ok.be (Belgium) and I am sure many others.  They all follow a familiar pattern.  If the site is a friendly green your computer is not infected with DNSChanger, a not so friendly red requires further investigation.

One caveat.  It appears that in relatively rare circumstances, DNSChanger may infect SOHO routers.  So although the eyechart may be red, it may not be the computer you are on that is infected.  It may be the router.  Either way you know that some investigation is warranted.

Please consider using these available tools to cleanup malware infections on your network...before the FBI turns off the resolvers.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

2 comment(s)
Diary Archives