New hijack threat emerges for DNS Changer victims

Potentially tens of thousands of machines once infected by the DNS Changer may be at risk of hijacking after IP address blocks were reallocated last week.

DNS Changer, a piece of malware that could manipulate search results on a victim’s machine, came into focus early last month as the Internet Systems Consortium (ISC) prepared to shut down servers that maintained over 200,000 victims’ connection to the internet.

ISC had controlled servers that replaced the infrastructure a criminal Estonian group Rove Digital had used to conduct its business, but a court order only gave ISC the authority to maintain those servers until July 9.

The servers connected to a series of IP address blocks that are regulated by Netherlands-based regional internet registry Réseaux IP Européens Network Coordination Centre (RIPE NCC).

Last week RIPE NCC reallocated those address blocks, meaning whoever owns them now could use them to hijack DNS Changer victims’ machines, according to Barry Greene, the former CEO and president of ISC.

“It was assumed that these blocks would remain in limbo until all the court proceedings were completed. The 'assumption' was not correct,” wrote Greene on Tuesday, warning carriers and ISPs to keep a close eye on these address blocks.

“Who ever controls these netblocks can hijack computers that are still infected with DNS Changer and other malware,” Greene added, pointing out that there were other malicious actors that operated within these address blocks.

Greene said RIPE’s move “surprised” many in the security industry, law enforcement, as well as participants of the DNS Changer Working Group (DCWG)—the industry group that had spearheaded efforts to minimise the impact of the ISC’s server switch off.

The DNS Changer malware altered the Domain Name Service (DNS) settings on victims’ computers, in effect changing the details of the internet address book victim machines relied on to connect to a website.

The main focus of the internet and security industries in the months leading up to the July 9 cut-off date was to ensure that users reset their DNS settings in order to ensure they would continue to be able to connect to the internet after ISC switched off the servers it maintained.

While it did achieve large reductions, at the time of the deadline, DCWG estimated at the time that there remained over 200,000 unique IP addresses classified as “victims”.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments

Barry Greene

1

A follow-up to this issue is posted here:

RIPE NCC Responds to the Rove Digital/DNS Changer Re-allocations - http://www.senki.org/archives/948

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »