The DNSChanger malware modified the local DNS settings of an infected PC. This meant that criminals could assume control over the DNS resolution of the victim computer, effectively redirecting it to any destination of their choice, rather than the bank or search engine the user originally intended to visit (for example).
This ability was used primarily for click fraud by the Esthosts gang, redirecting searches and sites, to generate revenue by defrauding advertisers and advertising networks.
PCs which are still infected by the malware, or whose settings have not been corrected, even after the infection was cleaned up, are still querying those criminal servers. The FBI have been operating those servers since the warrant was executed, but their right to do so has now expired and the servers will be shut down. Meaning that any queries from those 300,000 computers will fall on deaf ears and to all intents and purposes, the web will go dark for the affected users
At the time when Trend Micro co-operated with the FBI in bringing the Esthosts gang to justice, we believed about 4 million PCs to be affected. This number has since dropped to about 300,000 and this should be considered a success. However with the definitive shut-off of the criminal DNS servers today, those 300,000 people face a potential total loss of web access.
On Wednesday February 8th, the giant Dutch ISP, KPN announced that their network had been breached. KPN first became aware of the breach around January 27th of this year and since that date have worked with the National Cyber Security Centre, the regulator OPTA, the Data Protection Agency, the Ministry of Economic Affairs, Agriculture & Innovation, the Ministry of Justice and Safety and the Public Prosecutor in an effort to contain and trace the intruder(s).
A conscious decision was made in January not to make a public announcement regarding the intrusion, this decision was apparently made for two reasons; to increase the chances of success of the investigation and to mitigate the possibility that the hacker would do some kind of damage if they knew they were discovered.
In the initial announcement, KPN recognised that some customer data may have been affected but stated that servers containing credit card data or passwords were not compromised.
One day after this announcement a list of 537 KPN user accounts (name, address, email address & password in clear text) were posted up on pastebin. There was no direct context given for the data or where it came from, the title of the post was simply “KPN HACK PROOF, KPN houdt vol: geen klantgegevens gestolen” which translates as “KPN insists: no customer data stolen“, so the insinuation was clearly that the two events were linked.
As a result of this data leakage KPN immediately shutdown access to all of its 2 million consumer email accounts (as a precautionary measure). It took fully 25 hours before KPN were able to restore outbound email service to their customers on Friday night, and it wasn’t until Saturday that inbound email services were restored in a phased approach. At the same time KPN invested in extra bandwidth and services to enable all their customers to go through an online password reset procedure. Business services remained unaffected although business users were also strongly advised to change their passwords. By midday Sunday, more than 100,000 customers had already done so.
In an article published this weekend, it became clear that the 537 user accounts were in fact not associated with this attack at all. Instead the user accounts were a subset of a much larger list stolen earlier in the year from the online store babydump.nl. The information published is at least a year out of date although several of the victims on the list were unaware that their information had been stolen or leaked at all.
According to the ongoing analysis by KPN, in agreement with the information given by the self-confessed attacker, the underlying reason for the successful intrusion was the use of outdated software. According to the hacker, the first system breached was running SunOS 5.8 with patch 108528-29, a version that dates back to 2004. SunOS 5.8 is due to be end-of-support next month. In addition, the hackers claim to have downloaded at least 16GB of data, which they have subsequently destroyed and to have breached the systems to the point where they were able to individually control a customer’s Internet access.
KPN appear in large part to agree with the assertions of the hacker, their statement from today says, “Several experts in their analysis around the digital break-in suggested that KPN were using seriously outdated systems, and that they also failed to regularly update them. Joost Farwerck, Director of KPN Netherlands said “Granted, developments in our sector are of course very fast. That said, by research in recent weeks we have seen that the maintenance of Internet IT systems has not always been optimal.We are drawing lessons from this to make the service for our customers better and safer.”
As if the Sony debacle were not enough, here is yet another salutary lesson that vulnerable and outdated systems should not be Internet-facing if they are not adequately protected. It is a relatively simple matter to discover the versions of operating systems and applications running on a given server and an even more simple task to uncover the disclosed vulnerabilities.
While it may be unrealistic to expect an enterprise to install each and every patch as it becomes available, attaching an inadequately protected system, with an eight year out of date operating system and application stack is inexcusable. Even in an internal environment enterprises should be shielding known vulnerabilities with effective host-intrusion protection software until patches are deployed and patches themselves should be deployed in as timely a manner as possible. Don’t be the next KPN.
If you believe that your account may have been affected by this intrusion, the password reset service is here, although it appears to be suffering under heavy load right now and I could not get a response. You would also be advised to check out the password advice I posted earlier and avoid reusing one password across multiple web sites.
This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.
If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.
First you will need to discover what your current DNS server settings are:
On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.
On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.
You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.