The FISMA Focus IPD

Editor’s Note:  Below is a notice from US-CERT followed by a news story discussing FBI action.

From: US-CERT

US-CERT Current Activity

 DNSChanger Malware

Original release date: Tuesday, April 24, 2012 at 2:20 pm Last revised: Tuesday, April 24, 2012 at 2:20 pm

US-CERT encourages users and administrators to ensure their systems are not infected with the DNSChanger malware by utilizing tools and resources available at the DNS Changer Working Group (DCWG) website.

Computers testing positive for infection of DNSChanger malware will need to be cleaned of the malware in order to maintain continued internet connectivity beyond July 9, 2012.

On November 8, 2011, the FBI, NASA-OIG, and Estonian police arrested several cyber criminals in “Operation Ghost Click.” The criminals operated under the company name “Rove Digital,” and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ, and TDL4 viruses.

Additional information about Operation Ghost Click and the DNSChanger malware is available at the FBI website.

Relevant Url(s): <http://www.dcwg.org/>

 <http://www.fbi.gov/news/stories/2011/november/malware_110911>

From: Information Week

DNS Changer: FBI Updates Net Access Shutoff Plans

The FBI called: Your malware-infected PC or router needs to get clean, or lose Internet access.

Accordingly, the FBI has launched a public appeal, urging consumers and businesses to scan their machines–including some routers–for signs of infection.

How prevalent is DNS Changer? Rod Rasmussen, a member of the DNS Changer Working Group, said that in early February 2012, the malware was infecting machines used by half of all Fortune 500 companies as well as 27 out of 55 government agencies. But by the end of that month, he said that infection rates appeared to have dropped to 94 companies and just three agencies.

In November 2011, the bureau, working with Estonian authorities, helped bust the Estonian gang behind the DNS Changer botnet. Authorities accused the gang of conducting a four-year campaign that generated at least $14 million, largely through click fraud.

The criminals allegedly used the malware to reroute infected machines to their own rogue DNS servers. That meant that even after the FBI helped bust the suspected botnet operators, anyone whose machine was infected with the malware would still be relying on the rogue DNS servers to be able to surf the Internet.

Accordingly, the bureau said that it would continue to support the DNS servers for another four months, although it disabled the command-and-control infrastructure underlying the botnet and said it wasn’t monitoring any of the traffic traveling over the DNS servers. In addition, the FBI said that it had “provided information to ISPs that can be used to redirect their users from the rogue DNS servers to the ISPs’ own legitimate servers.”

With that deadline fast approaching, however, and many machines apparently still infected with DNS Changer, on March 12 the FBI secured a court order “authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers,” according to a statement released by the FBI.

Because this solution costs money, it’s temporary and is intended only to buy “additional time for victims to clean affected computers and restore their normal DNS settings,” according to the FBI. “The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.”

In other words, anyone whose machine is infected with the malware has about two months left to eradicate it or lose Internet access. At that point, to eliminate the malware and restore their correct DNS settings, users will need to download antivirus software–using another PC–and install it on their PC; for example, by using a USB key.