DNSChanger Rogue DNS Servers Taken Down

Great info from the Palo Alto Networks Product Management Team on the latest events surrounding DNSChanger.

DNSChanger is a malware family that has been around for several years now, and at its height controlled the web browsing of some 4 million PCs.  DNSChanger typically masqueraded as a video codec download, and once downloaded would surreptitiously change the DNS servers of the infected host to rogue DNS servers which direct users to pay-per-click advertising networks to earn money for the perpetrators.

Just recently, the FBI announced that in cooperation with Estonian authorities, they have identified and arrested several people behind the scheme.  The rogue DNS servers are now under the control of the authorities, and are configured to act as legitimate DNS servers until a cut-off date of March 8, 2012.  (http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/)

The FBI has produced a very nice document that describes the DNS changer malware in detail, along with how to determine your system has been infected, and furthermore provides a table of explicit IPs and IP ranges of rogue DNS servers.  The table is provided below for reference:

 
Palo Alto Networks Threat Prevention module includes a Rogue DNS signature to detect DNS queries to these DNS servers (Signature 13125), which can be used to help organizations identify and clean up hosts infected with the DNSChanger malware.  Additionally, on the antivirus side we have about 200 signatures to detect the known variants of the DNSChanger malware.

Speaking of DNS, now is also a good time to remember the importance of application awareness, specifically regarding TCP over DNS.  Tunneling through DNS (http://analogbit.com/tcp-over-dns_howto) has been a common trick for a while (useful for getting free wifi at airports, for example), but it can also be used by malware to leak information and communicate with external masters through DNS, which is almost always left open with no attention paid to it.  The "tcp-over-dns" signature (826) detects all known variants of tcp-over-dns toolkits.