-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0016 - Update 2 Title: DNSChanger malware - decommissioning of temporary DNS servers on the 9 July 2012 Version history: 14.02.2012 Initial publication 08/06/2012 Updates marked with NEW!! 20/06/2012 Updates marked with NEW!!! Summary ======= Dear colleagues, NEW!!! CERT-EU has recently received several alerts about connections from IP addresses within our constituency to the rogue DNS Servers listed below. It was later confirmed that, while some of these connections were genuine, other connections were in fact spoofed. Nevertheless, we recommend that all network administrators review the logs as advised in the "What can you do" section below. In February CERT-EU was made aware of an action taken by FBI to eradicate the DNSChanger malware [1,4]. A list of rogue DNS servers has been published and can be used to identify infected PCs in your network, see "What can you do" section below. Note that as part of this action, the temporary DNS servers, that replaced the seized rogue DNS servers, will be decommissioned on the 8 of March 2012. Consequently, infected PCs might be denied from accessing the DNS service, and the related connections to other systems might be disrupted. This behaviour might also indicate potentially infected system in your network. NEW!! REMINDER - The current solution is a temporary measure to provide additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers which are deployed by the Internet Systems Consortium (ISC) will be shut down on 9 July 2012, and any computers which are still impacted by DNSChanger may lose connectivity to the Internet from this date.[4] Original details: ================ DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware. Rogue DNS Servers: 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 Potential impact ================ Full or partial denial of network services relying on DNS. Vulnerable Systems ================== The malware specially impacts small office/home offices that rely mainly on ISP DNS. What can you do? ================ New !!! Follow the references to detect if your computer has been infected with DNS Changer [5] * Identify infected systems: * Monitor the outband DNS connections (TCP/UDP 53) for systems in your network trying to connect to the range of IP addresses of rogue DNS servers (see above). * Verify that your firewall only allow traffic to legitimate DNS servers. * Verify the DNS configuration of your DHCP server and any devices acting as a DNS forwarder, especially if it uses the default or weak password. Please reset the password to a strong one. * Check whether the configured DNS is a known rogue DNS server via https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS [2]. * Monitor for systems that cannot connect to Internet after the dead-line (8 of March 2012) and verify for DNSChange infection as mentioned above. * Eradicate: * Scan the infected PCs with your Anti-virus to detect other potential infections. We also recommend to scan with Microsoft MSS (http://cert.europa.eu/static/WhitePapers/CERT-EU- SWP_11_001_v1_2.pdf). * We recommend a rebuild of the infected system from a standard known good configuration (reference configuration/gold build) instead of a clean-up of the malware with a Anti-virus scanner. Indeed, the malware may use techniques to be persistent (BIOS, unknown dropper malware, etc.) * If you cannot rebuild the system then we recommend to scan again the system a few days after the clean-up to check whether the malware has been fully eradicated. What to tell your users? ======================== Users can check the DNS configuration of their PC as explained in [1,5]. More information ================ [1] http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf [2] https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS [3] http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_11_001_v1_2.pdf [4] http://www.fbi.gov/news/stories/2011/november/malware_110911/ [5] http://www.dcwg.org/detect/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJP4aSOOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PzbQ/+PmrtFgep rt3bjEeB2pIi71fgEiv/au4njat4UHtKRNhpCO9mm/2SZ3tObOMhmNZFvKabk4X9 X/OCfhN7MLHpDZa32TIKm6zvg/fJCQfunwalSXvfEv9m1QCT+Vu5UaeWPr4evh36 kyhiuu6g+ONnE34hpWfMLE0X+6iH2QlRxcvJGcFUBQ2gNd7FGoL5PdScqyWhsynb IzvZVd+kD1gEFJ5Tyqd6mFsBv78YVGXzs/+N6299ztoUIXTShthbhJ2mI4CZZys9 JqSJ44FwS3o2Wj0NUP7FA5CAoDL+BjqC4LEmZ60gqz/KeCqR3s75mpXXJsMgIoVu vA0MqJPRRysVZi85J92EqnWZfuHzX1u8hEB+0BXuGN9h2BQr7JXrY7ilhPwp0zxC SL5qnyZOkGlXI7l7TVrfS06bU433cQ8bW5aHMgYsB8zogj9H7PEaGmfTVSPpvi+B XeMaP8PFeKB6evJrhvyeGQozowSZjvcYlVhng1Due9HaU2jPQEssgenHYMCYcZui KoTktnx+0aFSDUzKbS36HyBtC0+1D+rrdrQ9jqC6stES7rCEgs6jZMUmmuE80Hdi FCN1CIS07Izt/qYu5XYPk7DEsZwgrNSi+ZJHwZCjOaz3w8udruT2mgUzJMIzdFc5 8MbwSY9LNXlkQ+f+uQUoChHKlEaItlFeCXc= =oe2l -----END PGP SIGNATURE-----