Operation Ghost Click
frnkblk at iname.com
Thu Apr 26 19:38:54 CDT 2012
The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up. Not all ISPs are non-proactive.
From: Paul Graydon [mailto:paul at paulgraydon.co.uk]
Sent: Thursday, April 26, 2012 4:48 PM
To: nanog at nanog.org
Subject: Re: Operation Ghost Click
On 04/26/2012 11:44 AM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen at mompl.net> wrote:
>> Excuse the horrible subject :-)
>> Anyone have anything insightful to say about it? Is it just lots of fuss
>> about nothing or is it an actual substantial problem?
>> "Update on March 12, 2012: To assist victims affected by the DNSChanger
>> malicious software, the FBI obtained a court order authorizing the Internet
>> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers.
>> This solution is temporary, providing additional time for victims to clean
>> affected computers and restore their normal DNS settings. The clean DNS
>> servers will be turned off on July 9, 2012, and computers still impacted by
>> DNSChanger may lose Internet connectivity at that time."
>> Earthquake Magnitude: 5.5
>> Date: Thursday, April 26, 2012 19:21:45 UTC
>> Location: off the west coast of northern Sumatra
>> Latitude: 2.6946; Longitude: 94.5307
>> Depth: 26.00 km
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.
Based on conversations on this list a month or so ago, ISPs were
contacted with details of which of their IPs had compromised boxes
behind them, but it seems the consensus is that ISP were going to just
wait for users to phone support when it broke rather than be proactive
More information about the NANOG