The Day The Internet Will Break For Millions—A Looming Deadline in the Aftermath of 'Operation Ghost Click'
Just two months ago, the Internet security community and international law enforcement scored a great victory on November 8, 2011, when news came out about Operation Ghost Click. This operation had just culminated in the arrest and extradition of several alleged Estonian cybercriminals who are charged with controlling an extensive network of infected computers via malware known as “DNSChanger” over several years, defrauding consumers out of tens of millions of dollars. The FBI, working in concert with NASA, the Estonian police, and several private sector firms and security researchers, orchestrated the complete takedown of the DNSChanger infrastructure. Concurrently, authorities took over the criminal network itself so that victim machines could be identified, cleaned, and repaired. It is estimated that this criminal malware infected more than four million computers since 2007.
Takedown just a start
However, the takedown represented only a partial victory. Millions of these machines remain infected and there is a very real “deadline” looming in another two months when a judicial order that is helping keep these infected computers working runs out.
To understand this deadline it’s necessary to understand how DNSChanger alters the way infected machines resolve domain names. DNSChanger routes those infected machines’ DNS queries towards malicious servers run by the criminals instead of their normal recursive DNS servers. Take out those malicious servers, and the infected machines will have no DNS service; millions of people will suddenly be unable to use the Internet. So the FBI, in conjunction with industry partners, has erected temporary DNS servers to keep the Internet "working" for infected machines while cleanup efforts are undertaken. It is important to note that the replacement servers will not remove the DNSChanger malware—or other viruses it may have facilitated—from infected computers. About half of the original 120-day order for temporary servers has run out, and the cleanup efforts are seriously lagging. On March 7, 2012 when the deadline arrives, millions of people may not be able to reach their intended Internet destinations.
Out of sight, out of mind
Since the initial headlines, there seems to be little interest in the DNSChanger story, and many in the security community are concerned about the impact when the temporary servers are taken down. Certainly when millions of users lose their Internet connectivity simultaneously in early March it will be a different story, but in order to prevent that from happening, the time to act is now.
And there is also no excuse not to act. Many members of the security community know the IP addresses of all the infected machines out there, since they all reach out to the temporary servers for DNS resolutions constantly. Getting a hold of that information for a network that you run is free. Organizations like ShadowServer and Team Cymru are providing free lists of infected IPs to the relevant Internet service providers and network operators. Some companies are providing free alerts to enterprise network operators and many other security companies are providing this information to their clients as well. A little bit of work today will solve some major customer service impacts in a couple months when “the Internet will break” for millions of computers around the world.
What is DNSChanger and what does it do?
DNSChanger is a deep-level rootkit malware (incorporating TDSS, also known as Alureon or TDL4) developed to divert traffic for clickjacking and to suppress normal Anti-Virus (A/V) updates. The malware reconfigures DNS settings on victims’ machines, both PC's and Macs, as well as small office/home office routers, to use criminally run DNS servers. It also disables A/V and regular software updates on the infected machines, making them susceptible to attacks from other virus families. The goal of this malware was largely to monetize traffic from misdirected users, and in that it worked very well—to the tune of at least tens of millions of dollars, if not more. The software is also very well dug in to the operating system, making cleanup difficult—likely requiring sector-level re-imaging of the entire machine in order to be sure to get it all. The industry is still working on best common practices regarding remediation right now, and a website with the latest information is being built by the DNS Changer Working Group at http://dcwg.org. While cleanup will be far from simple, certainly one of the key elements is to ensure that settings on affected machines for DNS resolution are reconfigured to use legitimate DNS servers instead of the criminal infrastructure servers.
Who is impacted?
DNSChanger has been spreading for well over five years, and is believed to be on over four million computers. Most of the millions of victims ironically thought they were downloading anti-spyware software and were victims of well-executed social engineering campaigns, so there is widespread damage. Victims have been susceptible to other virus attacks, as the DNSChanger malware has disabled their A/V. Once the FBI's temporary DNS servers are shut down in a few months, un-repaired machines will not be able to reach Internet addresses.
A tool for determining if an individual's machine is affected can be found on the FBI website. The FBI is also seeking to build an even bigger case against the miscreants by calling on all people and organizations who find that they have infected devices submit a victim report form here.
Get in the Game Today!
The time to act is now—both getting your infected machines cleaned up, and as an enterprise, locking down your recursive DNS infrastructure so the next version of DNSChanger doesn’t do even more damage.
Speaking of enterprises, while we’ve addressed DNSChanger’s threats and clean-up efforts, we have not fully talked about how you can prevent DNSChanger-type malware from impacting your network. Stay tuned for the second installment in our two part series on DNSChanger malware in the coming weeks for that side of the story.