AusCERT2012: Modems at risk in DNSChanger cut-off

Powered by SC Magazine
 

ISPs urged to bolster user support.

Up to 100,000 customer modems are at risk of losing their internet connection from July 9 when the FBI disables rogue DNS servers seized late last year.

The affected customer modems make up about a third of the 350,000 to 400,000 internet users believed to still have the DNSChanger malware on either their modems or Windows computers.

The FBI believes that up to four million users were infected at the height of the Estonian advertising scam, which redirected legitimate searches by computer users to malicious sites via rogue DNS servers located in Chicago and New York.

Complete coverage of AusCERT 2012

Six Estonian nationals have been arrested and are currently subject to extradition procedures to face charges in the United States.

US authorities have interim control of the rogue DNS servers but expect to shut them down on July 9, after a four-month court ordered extension of the program expires.

Any computer still infected with DNSChanger - believed to be more than 300,000 users in July - will not be able to connect to the internet.

The modem problem

While remediation support for infected users had largely focused on solving the Windows infection, Paul Vixie of the Internet Systems Consortium told AusCERT 2012 attendees this week that internet service providers would have to "truck-roll" new modems to those believed to be affected by the malware outside their PC.

"The CPE [customer premises equipment] - the DSL or cable modem - tends to be one of a small number of things that all come out of Taiwan or that part of the world and even if they're made by different companies they will have a similar web interfaces when viewed from the inside," he said.

The scammers, he said, "scripted [the web] interface and changed the DNS settings in the CPE".

He noted it was "very difficult to get these re-programmed".

 

ISC founder Paul Vixie.

Vixie and the ISC have a direct contract with the FBI to coordinate the investigation, which ultimately lead to police seizing the rogue DNS servers and operating them while they attempt to remove remaining infections worldwide.

Up to 10,000 internet users remain infected by the malware in Australia, with potential victims urged to check a specially setup website to check for infection before July 9.

Internode chief technology officer John Lindsay told SC Magazine the iCode framework, developed by the Internet Industry Association in 2010 and implemented by major service providers, proved effective in dealing with those affected at both the PC and modem level.

Those modems found to have changed DNS settings on Internode's network specifically are flashed with factory settings or new firmware. In some cases, Lindsay said the ISP preffered to replace the infected modem with newer equipment to avoid further problems.

"We have probes in our network that look for these sorts of problems and contact customers who appear affected and provide assistance to fix the problem and help them prevent future incidents," he said.

The action taken by Internode differs from the "walled garden" approach suggested in the framework.

While take-down of the DNS servers was "carefully choreographed" between the FBI and Estonian police, Vixie conceded that fixing the continued problem of infected computers and modems had not been great.

ISC believes more than 300,000 users will remain infected on July 9
(Click to enlarge)

The 300,000 users believed to retain the infection on July 9 would leave internet service providers with a growing support problem, he said.

The underlying botnet malware used in the scam, Alureon, also remains at large with the potential to infect more computers in future.

"We didn't put any time into how remediation was going to work or how we were going to do the charts and diagrams and population estimates," he said.

"We had none of that in place on day one. after we had the name servers running and we were collecting the data someone finally said 'shouldn't we be analysing this?'"

Like the similarly malicious Conficker botnet, which still boasts six million victims, Vixie said the issue remained in user trust.

"They don't trust us, they don't know us... they don't trust their ISP," he said.

"Their plan, if you can dignify it with the name plan, is to just keep using their computer until it doesn't work anymore, and then they'll buy a new one."

The saving grace for Vixie, he said, was that the scammers behind DNSChanger could have been "much more evil than they were".

Copyright © SC Magazine, Australia


AusCERT2012: Modems at risk in DNSChanger cut-off
The US-hosted server used by Estonian scammers in the DNSChanger.
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
The US-hosted server used by Estonian scammers in the DNSChanger.
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1455

Vote