Operation Ghost Click

Fri Apr 27 00:38:54 UTC 2012

The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up.  Not all ISPs are non-proactive.

Frank

-----Original Message-----
From: Paul Graydon [mailto:paul at paulgraydon.co.uk] 
Sent: Thursday, April 26, 2012 4:48 PM
To: nanog at nanog.org
Subject: Re: Operation Ghost Click

On 04/26/2012 11:44 AM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen at mompl.net>  wrote:
>> Excuse the horrible subject :-)
>>
>> Anyone have anything insightful to say about it? Is it just lots of fuss
>> about nothing or is it an actual substantial problem?
>>
>> http://www.fbi.gov/news/stories/2011/november/malware_110911
>>
>> "Update on March 12, 2012: To assist victims affected by the DNSChanger
>> malicious software, the FBI obtained a court order authorizing the Internet
>> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers.
>> This solution is temporary, providing additional time for victims to clean
>> affected computers and restore their normal DNS settings. The clean DNS
>> servers will be turned off on July 9, 2012, and computers still impacted by
>> DNSChanger may lose Internet connectivity at that time."
>>
>> --
>> Earthquake Magnitude: 5.5
>> Date: Thursday, April 26, 2012 19:21:45 UTC
>> Location: off the west coast of northern Sumatra
>> Latitude: 2.6946; Longitude: 94.5307
>> Depth: 26.00 km
>>
> Yes its a major problem for the users unknowingly infected.  To them
> it will look like their Internet connection is down.  Expect ISPs to
> field lots of support calls.
>
Based on conversations on this list a month or so ago, ISPs were 
contacted with details of which of their IPs had compromised boxes 
behind them, but it seems the consensus is that ISP were going to just 
wait for users to phone support when it broke rather than be proactive 
about it.

Paul