Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Internet Storm Center panel tonight at SANSFIRE 2012!

Published: 2012-07-09
Last Updated: 2012-07-09 21:40:17 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

If you are at Washington DC enjoying SANSFIRE 2012, don't forget that the Internet Storm Center State of the Internet Panel discussion is tonight at 7:15 PM in the Hilton Washington International Ballroom Center. See you all there!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

1 comment(s)

The FBI will turn off the Internet on Monday (or not)

Published: 2012-07-09
Last Updated: 2012-07-09 16:08:02 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

On Monday, the DNS Changer Working group will discontinue providing DNS service to hosts infected with the DNS changer virus. This new item led to a flood of news reports, which IMHO blow the entire affair out of proportion (the headline to this diary entry pretty much reflects a discussion I had today with a non technical person responding to one of these articles). Reading this article, it is likely that you will be one of the people being asked for advice as "how to protect yourself" from this virus. I find it useful to stick to these talking points:

The DNS Changer malware was spreading last year and changed DNS settings in computers it infected. After arresting the group behind this malware, the FBI, as permitted by a court order, worked with ISPs and the DNS Changer Working Group to continue to operate the DNS server that the infected systems pointed to. The hope was to identify and notify as many infected systems as possible. As expected, over the last few months, these efforts had diminishing results. The court order permitting the DNS server is about to expire and as a result, this stand in DNS server will not continue to operate.

If your system is still configured to use the bad DNS server, you will not be able to resolve host names. Even if you removed the malware, it is still possible that you didn't revert the DNS settings change. 

For Windows users, this may actually not matter. According to some reports, Windows may actually revert to the default settings once the DNS server is turned off. If you used the bad DNS server, chances are that various entities tried to notify you. Google for example should have shown you a banner. If you don't see a warning banner when visiting Google, you are not one of the systems identified as infected.

Some ISPs setup their own DNS servers for DNS Changer victims. These DNS servers will remain active for now.

This malware is also old enough where Antivirus, if you run any, should have signatures for it. 

In short: Don't worry. There are estimates of 250,000 infected systems based on data from the DNS changer working group. There are about 2,000,000,000 internet users. So about 0.01% of internet users are infected. In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet.

In a few cases routers may be affected by the change, and the router will use the wrong DNS server. Again: if you are connected to one of these routers, you should have seen warning banners. If you haven't seen warning banners at Google: Don't worry.

Lastly: Tell people to go to dcwg.org (short for DNS Changer Working Group.org). It has a little test to tell you if you are affected or not. It also got a lot of first hand information about this malware.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

8 comment(s)
ISC StormCast for Monday, July 9th 2012 http://isc.sans.edu/podcastdetail.html?id=2650
Diary Archives