Our article earlier this week about the frequency of DNS exploits has already come back in the news, in the wake of shutting down one of the the longest running and most costly botnets in history by the FBI earlier this week. The network, called Esthost, supposedly claimed an estimated four to five million victims and fleeced them somewhere around $14 million. All of that was due to 100 rogue DNS servers that were used to redirect massive amounts of traffic from the infected computers. The operation, dubbed Ghost Click by the FBI, raided two data centers in New York and Chicago, along with arresting people in Tartu, Estonia.
The malware consisted of Trojans that were used to change the DNS settings so that unsuspecting users would be redirected to malicious Web sites when they tried to navigate around the Internet. The Trojan, called DNSChanger, has been around for several years, apparently. One of the parties that helped law enforcement, Trend Micro, claimed they knew of the perpetrators since 2006 and held off identifying them to allow the law to apprehend them. Trend has posted details about its efforts here on their site.
The crime ring made its money through a variety of methods, including replacing legit banner ads with phony ones to capture their clickstream and hijacking search results. And unlike many exploits that have been Windows-only, this one also infected Macs too.
What this means to you is that it is worth spending a few moments and making sure that your company is not part of this botnet. Government computers, private companies, and home computers alike have been infected, according to the FBI, which posted this summary on its site today.
If you haven’t checked the DNS settings of your computers, now would be a good time. The ranges of IP addresses used by the fraudsters is staggering. But wait, there is more.
“The DNSChanger malware is capable of changing the DNS server settings within SOHO routers that have the default username and password provided by the manufacturer,” says the FBI. So if you haven’t changed your router password since you took it out of the box, now would be a good time, as well as to look at your router’s DNS settings to ensure that they are legit too.
The phony DNS IP address ranges are:
- 85.255.112.0 through 85.255.127.255
- 67.210.0.0 through 67.210.15.255
- 93.188.160.0 through 93.188.167.255
- 77.67.83.0 through 77.67.83.255
- 213.109.64.0 through 213.109.79.255
- 64.28.176.0 through 64.28.191.255
No shortage of IP addresses can be had for scammers, it seems, unlike the rest of us.
What is curious is that the FBI is now operating legit DNS servers at the above addresses, in the interest of providing continuity and connectivity to the PCs that were infected. You still have to clean out your machines though. “At this time, there is no single patch or fix that can be downloaded and installed to remove this [DNSChanger] malware,” states the FBI.
Also helpful is that the FBI has this form here where you can post your computer’s DNS setting and the FBI will check if it is a rogue or legit one.
Now might be time to use a DNS provider such as OpenDNS.org, that can provide more security and higher performance of this critical function.
The opening image is from the O’Reilly seminal book on DNS on Wndows Server.
