2012-07-13 20:31 DNSChanger servers down - no biggie says CERT Finland
DNSChanger malware took over hundreds of thousands of machines so that criminals could redirect the victims to fraudulent sites. Malicious DNS servers were taken down, and FBI was permitted 1 to temporarily host legit services to keep the victim machines working. When the permit expired, hundreds of thousands of machines were still infected and could potentially stop operating properly. Nobody knew exactly how much of the critical infra services were running infected. While the security community was a bit concerned and press was predicting doomsday, CERT Finland was not worried. Why was that?
What is DNSChanger?
In case you haven't ran into DNSChanger previously, it was a piece of malware which changes host's name server settings, so that it uses malicious DNS servers for looking up where it should connect to. Idea was that the criminals can redirect victims to fraudulent sites as they please. Luckily, the malicious servers were taken down. Bad news was that when the malicious are not available, infected machines would fail to work. Temporary solution was to allow FBI to take over and run the service so that infected hosts can be disinfected. The final deadline was 2012-07-09, after which supposedly some minor things like the Doom of Internet could occur. Well, the Internet survived again, so we can get back to the original topic.
Global Situation when FBI Lost its Permit
So, how did the cleanup go? Here is the data:
So after several years time to clean up infected machines, DNSChanger was still present on hundreds of thousands of computers. Over time, the number of infected machines were cut to half.
Zeroing in to Finland
CERT Finland on DNSChanger's national impact:
DNSChanger didn't impose problems to Finnish users. CERT Finland has received information about DNS traffic from Finland to the malicious DNS servers trough its international security community contacts. This information is processed and redistributed to the ISPs with CERT Finland's AutoReporter-service. Initially Finland produced 300 observations about infected routers and computers. At the moment (January 2012) Finland produces about 100 observations. On a global scale, 350 000 observations are made every day.
Over time, infections declined from initial 300 to approximately pitiful 20 (source). On top of the fact that, CERT Finland could in fair confidence say ''Shutting down the DNSChanger name servers might be a problem - but not in Finland''. So comparing to the global drop to approximately 50%, I'd say Finns did a pretty good job with their drop to approximately 7% from the initial numbers. They've totally deserved their stickers:
But that was not my main point. The main points are:
CERT Finland's AutoReporter service dealt with the problem in a routine manner, information about DNSChanger infections just started flowing in from the security community, and out to hundreds of network owners.
- They had the capability to observe if the number of infections is increasing or decreasing.
- When the so-called doomsday was getting closer, they could estimate what the impact would be if the remaining infected hosts would stop working.
All because of a systematic approach to collect and forward abuse information from the ones who know to the ones who need to know.
If you are an national actor tasked to protect your national critical infrastructure or citizens, a good place to start is to ask yourself these questions:
- Do you collect systematically information provided by the security community?
- Can you automatically redistribute this information to the ones who can mitigate the problem?
Do you have the data to observe if the cleaners are doing their part?
Do you have the data to estimate the long term trends in your country?
If the answers are no at the moment to all of those, don't worry. CERT Finland, being the first, has been building the capability since 2006. Nowadays there are tools and services available from yours truly to get you started in few months. Just mail email@example.com or firstname.lastname@example.org and we'll show how.
-- jani 2012-07-13 20:29:10
With the help of DNS Changer Working Group (1)