FBI DNS Changer Deadline Extended to 9 July, 2012

FBI DNS Changer Deadline Extended to 9 July, 2012

The US FBI was granted an extension on the court order to maintain control of the DNS Changer IP ranges until 9 July, 2012. This extension was granted based on the large amount of computers and routers which were still making DNS requests to these IP ranges. According to The Register, a research group called IID found about 18.8% of all US Fortune 500 companies surveyed were affected on 23/02/2012. This is a substantial decrease, down from 50% of US Fortune 500 companies in January, 2012 based on a previous study by IID.
The FBI court order might not be extended again due to substantial decreases in the number of USA based suspected infections. Conversely, our group has observed suspect infections in approximately 25% of the networks we advise and consult for in Europe, Africa, Middle East and Asia Pacific. The infections in the USA might be dropping; however, too many non-USA geo-located IPv4 sources remain infected. The majority of identified assets were fully updated and patched end point assets, critical servers with up-to-date Anti-virus software or routers with modified configuration files.

Why do so many suspected infections remain? 

  1. Over reliance on Anti-virus software.
    1. A clean anti-virus scan does not equate to a clean asset, it just means that version and vendor of anti-virus was unable to find an infection at this time. Malware can be written specifically to evade or disable certain features of anti-virus software.
  2. Inability to understand the risks of allowing external DNS requests to untrusted locations.
    1. You wouldn’t knowingly ask the enemy for directions to your own ambush. The same principal applies to allowing or not investigating external DNS requests to un-trusted or suspected malicious DNS servers.
    2. Also, just because a firewall dropped outbound activity does not mean there is no risk to the network. You still have a suspected infected machine that requires investigation.
  3. Inability to find the end points due to short TTL’s in large DHCP based networks or other issues.
    1. Finding end points has been a big challenge for our clients. Their networks have grown or merged in many cases without full documentation or change control. This is a huge gap in security for many but one that can be easily remedied through documentation and network mapping applications.
  4. Lack of time or fiscal budget to properly review logs.
    1. Please review your firewall and proxy drops, this is very, very important.

If your organization has assets making DNS requests to the FBI controlled IP ranges related to the DNS Changer they need to be investigated. We start in the following order in large networks with many possible infections:

  1. Revise firewall or other perimeter controls to avoid more assets making suspect requests, e.g. close the hole.
  2. Investigate all assets which successfully made DNS requests.
  3. Investigate assets attempting to make DNS requests by frequency and criticality of the asset.
    1. If the asset in question is a critical router or server, especially a DNS server open an incident immediately as further compromise of the network is suspected.
    2. If one asset is making 1000 DNS requests while another made 25 investigate the more active asset.
    3. Review the configuration file of routers which might be compromised and check through the DNS settings.

Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf


Reporting can be your friend and can lead to pro-activity, i.e. don’t wait for your anti-virus to alert you to an infected machine. For example we wrote a very basic series ArcSight reports which runs on a daily basis:

  1. All assets making DNS requests to the FBI DNS Changer IPv4 ranges successfully.
  2. All assets attempting to make DNS requests to the FBI DNS Changer IPv4 sorted Z-A showing the assets making the most DNS requests at the top of the report with a bar graph.
    1. Using graphs can help visualize the problem to management and gain their buy-in. Looking at the problem from a business standpoint does not make you less technical but better at communicating the issue to those that approve budgets, staff and possibly investigations.

If you have any questions, concerns or techniques which have been successful in your organization please feel free to share them.




One response

  1. The news are that I ( Francisco Tufró ) will be looking
    after Moai SDK releases, draw requests and all ordinary things SDK.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: