What is DNS Changer?
On November 8th, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click.” The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, which expired July 9, the Internet Systems Consortium operated replacement DNS servers for the Rove Digital network. These servers meant that infected computers could continue to access the Internet until they could be cleaned up. This has now stopped and the IP address space has been recycled. Some of it is now in the hands of suspicious characters which means any computers still infected may get reinfected with new malware.
More info from the DNS Changer Working Group at http://www.dcwg.org/
What is Conficker?
Conficker has been around in various forms since 2008. There are at least 5 variants (usually called A, B, C, D and E respectively) and it affects all Microsoft OSes prior to Windows 7 including Windows Server 2008. It has spread widely using a variety of vulnerabilities and there are still millions of computers infected with it today. Thanks to efforts of a number of technology companies who formed the Conficker Working Group the domains it tries to call home to are all sinkholed, but it remains a threat because it foils many security updates. Moreover Conficker E installed a spamming bot (Waledac) and other malware and through these it is possible that a conficker infected PC is also infected with other actively malicious software.
What is ThreatSTOP offering?
We are offering to parse logfiles from firewalls, IDSes and so on to see whether any computers on your network are using the DNS Changer IP addresses for their DNS or are attempting to contact the sinkholes for other malware such as conficker. We do this by parsing logfiles uploaded to us and extracting lines that contain the DNS Changer or Sinkholed addresses. We then give you a report that tells you what IP addresses on your network are communicating with these servers.
How do I use this service?
You should make sure that your firewall or IDS is logging all outbound attempts on port 53 (DNS). It may be simplest to log all traffic. You can either log this data on the device itself or use a separate syslog server and if you have a tool like splunk or Juniper's STRM you can use that too.
Then once you have some log data you should upload the logfile to us via the main webpage. We will parse it and give you are report that you can download and use to clean up infected computers. You can see a sample report here.
If you are using splunk or similar then you should export the data from the system either in raw format or as a summary in CSV format. We only need the source and destination IP addresses and will ignore anything else (name, port, count, time etc.) but you may find it useful to include a timestamp.
What do the results mean?
Any IP address which is listed on the results page has attempted to contact an IP address used by DNS Changer. These IP addresses are not used by anything except the DNS changer servers hosted by ISC so it is highly likely that the computer at that IP address is infected with DNS changer. Using your internal address management tools you can identify the computer and then clean it up. We put the raw log line on the report so that you can see the time(s) of the event(s) which will help if you have relatively short DHCP leases on your network.
How do I cleanup suspect computers?
One reason why there are so many computers still infected is that it is hard to clean them up. This page (http://www.dcwg.org/fix/ ) gives a lot of information and recommends that users follow one of the guides in the table below.
|Guide||How to Use|
|Microsoft's Safety and Security Center||Microsoft's authoritative portal for all their security guidance, tools, and capabilities.|
|Apple's Security Page with pointers to keep your MAC safe||Scroll down to the section on "Checking Security in your System." This has the pointers to insure your MAC is as secure as possible.|
|DSL Report’s Security Cleanup FAQ||A community driven self help guide to fix malware problems on your systems.|
|Andrew K’s Malware Removal Guide||Andrew K is an individual who share's his experience on-line. This guide is an often referenced guide to remediate malware problems on a computer.|
|Public Safety Canada’s Malware Infection Recovery Guide||The Canadian Public Safety office (publicsafety.gc.ca) has a malware removal guide updated and focused to help the general population.|
|Australia’s Stay Smart Online Factsheet to help Remove Malware||Stay Smart Online Factsheet 11, Part 1 - You suspect your computer is infected with malicious software - what should I do?|
Are there any limits to this service?
We limit the size of log files that may be parsed to 1 Mbytes. If you have larger log files please either break them up or contact ThreatSTOP and we will provide you with an alternate access method. This can also be done if you have a lot of small log files. We reserve the right to block uploads from ip addresses that appear to be abusing our service. This may include uploading of logfiles that we are unable to parse, so please ensure that you upload a logfile that is in uncompressed plain text format.
We are using a fairly general purpose parser and all we need are source and destination IP addresses in standard IPv4 notation (126.96.36.199) so pretty much any kind of text log file should work.