By Kurt Baumgartner
The FBI’s “Operation Ghost Click” announcement in Nov 2011, involving the Rove Digital botnet delayed cleanup efforts that we previously discussed, continues to haunt both the internet networks and the mass media. A Forbes article and a Times article yesterday brought the apparition back to the front, with some claiming that the site offered by the DNSChanger Working Group is a new one, which it is not. The 2011 Operation being described, and the temporarily outsourced DNS server replacements and delayed cleanup, is the same. This phantom is nothing supernatural, so why all the discussion? The federal judge’s extension allowing the FBI to run these replacement DNS servers still cuts off access in early July. When those replacement servers are removed in early July, the infected systems resolving DNS queries at these previously-owned Rove Digital servers will simply not be able to resolve DNS requests. July 9th will arrive soon, and notifications continue to go out related to the hundreds of thousands of systems in the US alone that are still infected.
In the simplest terms, connectivity will not be severed for DNSChanger-infected systems, but internet communications will not function for infected systems that have not been cleaned up. In the US, government agencies, home users, and other organizations still infected with the malware will have systems that effectively can’t get online, can’t send email, etc. It will look like they are connected to their network, but they just won’t communicate with anything.
At the same time, there seems to be issues with some existing identification efforts. Yesterday, I infected a system with DNSChanger and visited dns-ok.us. Results here:
Regarding the dns-ok site visit, my ISP’s support team isn’t aware of any “DNS redirections” that would cause the test to fail, and I will update this post with any update from our network admin that they are redirecting my system’s DNS queries. But that piece is highly doubtful. My point here is that infected system owners may be confused by this check. And the ip address was within the FBI-provided ranges run by Rove Digital – perhaps a reader knows differently?
UPDATE (1:40 p.m. MST) – I received some details from my local ISP network admin. They are not redirecting any related DNS queries. However, one of their large upstream providers is redirecting DNS requests to another DNS server of their own. The other upstream link to the net does not seem to be re-routing DNS requests. So my infected client’s traffic must be favoring routes through the larger upstream provider, and poof, the green/clean response banner appears. Any way you look at it, the response from the site can be inconsistent – sometimes red, sometimes green. Unfortunately, this sort of situation is going to confuse cleanup efforts. So, here we are again. To the potentially millions of folks running DNSChanger infected systems and are listening to the cacophony of incident responder consultants tossing out cheap cynicism that “AV is dead!”, go ahead and download an “AV product” to scan your system. Of course, I like recommending our scanners (just visit http://www.kaspersky.com) because I have cleaned up DNSChanger infected systems with it (and the products have fully functional trial periods), along with our TDSSKiller rootkit removal tool to clean up especially complex DNSChanger infections.
*Kurt Baumgartner is a Senior Security Researcher for the Global Research and Analysis Team at Kaspersky Lab
Is it possble that even though I am a KISS (long term) customer and have the sofware set to the strongest scan settings, that my systems are vulnerable to being “cut off” from internet access indescriminately because the “feds” ie. inept boobs, have no idea what they are dealing with? No! Tell me it ain’t so…. Flash!!! I have a great “Fed” idea! Hire the bad guys out of prison for $190k per year to fix their brain child! WOW! I are a fed!
Independent-
Apparently you aren’t a fan of federal efforts? Noted. :)
You mean a “KIS” customer? Hmm. I suppose that anything is possible, but no, it is highly unlikely that your systems will be cut off indiscriminately from the internet because of DNSChanger infection. And, I am saying the opposite – they are not removing “access” for anyone, the Fbi is taking down their replacement DNS servers, not severing connections for anyone.
If you are a KIS customer, keep your updates recent, run a full scan, confirm that your router and workstation/laptop systems are configured to use the DNS settings that your ISP assigns, and you can be highly confident that DNSChanger is not on your systems.
From what I understand, the “feds” have some really talented people handling the replacement DNS servers. And they have done some impressive work on this case. I was trying to explain existing problems with the current online infection identification site – some upstream providers (private, commercial orgs) are redirecting DNS queries, some are not. Simply put, using the dns-ok site is not 100% reliable. The problem here seems to be fed-private coordination and communication (and possibly cooperation), not necessarily ineptness.
Kurt
Fat-key aside Kurt, not 100% reliable is the issue here! Your article isn’t the issue here. Big Fed is NEVER responsive nor accurate. Look at (insert disaster) and tell me it is.
You infected a system and the check at dns-ok came back as OK! Hmm, seems to not be working… That is the issue.
Checking my infected system and receiving an “All clear” from the “Big Fed” managed system wil be of little solice come “Can’t connect day” which by all definition is a cut off.
So, yes, I trust my Kaspersky Internet Security software and I do keep my updates current.
As far as blaming “3rd parties” for this issue goes, it’s wingless. The big fed regardless of the talented people working there, this doesn’t fall on them, but rather on the big,bloated, unresponsive, slow, unaccountable, bureaucracy!
This whole mess should have been outsourced to a consortium of major security companies who answer to a board of directors and investors. Yes, I am an unrepentant Capitalist! Certainly NOT a centralized bureaucratic socialist. I feel that Kaspersky’s security products are the best currently available! IMHO.