DNSChanger malware

If you use default passwords on your home or office gateway/router, then you maybe at risk from the DNSChanger malware.  This can affect how your computers translate domain names such as apple.com, microsoft.com and other domain names to the unique Internet Protocol (IP) address such as 198.51.100.1 that we ultimately depend on to access other computers.  A company in Estonia called Rove Digital has been operating since 2007 and may have affected more that 500,000 computers in the United States alone.  If your computer is affected, it will fail to access the Internet after July 9, 2012.

The Domain Name System (DNS) is a critical Internet service that converts user-friendly domain names, such as www.fbi.gov, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

  1. The malware changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.
  2. The malware attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.

The following table list sites setup to help you determine if your computer is affected.

URL

Language

Maintainer

http://www.dns-ok.us/ English DNS Changer Working Group (DCWG)
http://www.dns-ok.de/ German Bundeskriminalamt (BKA)
Bundesamt für Sicherheit in der Informationstechnik (BSI)
http://www.dns-ok.fi/ Finish CERT-Fi
http://www.dns-ok.ax/ Swedish CERT-Fi
http://www.dns-ok.be/ Dutch/French CERT.be
http://www.dns-ok.fr/ French CERT-LEXSI
http://www.dns-ok.ca/ English/French CIRA and CCIRC
http://www.dns-ok.lu/ English CIRCL
http://dns-ok.nl/ Dutch/English SIDN

For more technically oriented people the following is a list of IP address the criminals used for their activities.

List of Rogue DNS Server Addresses

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

For more information see the following links:

http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

DNS Changer Working Group (DCWG)

http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business

Update 2015-01-02: Many sites linked from this page are no longer available.

Uncle Sam Needs You!

We need your help prevent United States Senate Bill 968 (PIPA) and HR 3261 (SOPA) from becoming U.S. law. These bills are essentially a technical solution (a flawed one) for a business problem.  These laws would short-circuit due process of existing laws and provide a sledge hammer for businesses to take down their competitors.  These laws are the wrong solution for the described problem.  A group of Internet inventors and engineers have voiced their opinion in an open letter to Congress stating their opposition to the SOPA and PIPA bills.  Ironically some provisions in these bills would attack Free Speech in ways we condemn in China and Iran.

Uncle Sam needs youWe need you to help over come the well funded lobbying effort to create these laws!  Some opponents of PIPA and SOPA: Google, Yahoo, Wikipedia, craigslist, Facebook, Twitter, LinkedIn, eBay, AOL, Mozilla, Reddit, Tumblr, Etsy, Zynga, EFF, ACLU, Human Rights Watch, Darrell Issa (R-CA), Ron Wyden (D-OR), Nancy Pelosi (D-CA), Ron Paul (R-TX), Tim O’Reilly.

To find out how you representative is voting go to SOPA Opera to find out.  Then contact them and tell them how you feel about keeping the Internet a fair and open place to socialize and work.

Here are some of the people and companies that are working against your interests and for their own profit: RIAA, MPAA, News Corp, Time Warner, Walmart, Nike, Tiffany, Chanel, Rolex, Sony, Juicy Couture, Ralph Lauren, VISA, Mastercard, Comcast, ABC, Dow Chemical, Monster Cable, Teamsters, Rupert Murdoch, Lamar Smith (R-TX), John Conyers (D-MI), Michael F. Bennet (D-CO).

Simple Intrusion Detection

Sometimes I want to have a simple way to determine if a file has been changed or has been compromised without the configuration required of a full feature IDS such as AIDE or Tripwire.  This technique uses CFV, a free and open-source program written in Python and “has been verified to work on linux, freebsd, openbsd, netbsd, solaris, macosx, and windows.”  This program can generate a variety of checksum formats including the SHA1 used in this example.

To create the signature file for a directory’s and sub-directories’ files use the following commands in a Linux or Mac OS X command window:

cd /usr/local/bin
cfv -C -rr -f bin.sha1 -t sha1
gpg -sab bin.sha1

To verify the file signatures use the following commands:

cd /usr/local/bin
gpg --verify bin.sha1.asc
cfv -M -f bin.sha1

The gpg command verifies the integrity of the signature file (bin.sha1).  The cfv command then verifies all the files originally tested when creating the signature file.