[148619] in North American Network Operators' Group
Re: US DOJ victim letter
daemon@ATHENA.MIT.EDU (Andrew D. Dibble)
Thu Jan 19 16:16:12 2012
From: "Andrew D. Dibble" <adibble@quantcast.com>
To: Tim Jackson <jackson.tim@gmail.com>
Date: Thu, 19 Jan 2012 13:15:28 -0800
In-Reply-To: <CAK19Y1cxcVKbCY7Yv2Coefy4JVOgkcO50KPjL14ux-cUS=-xLg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Operation Ghost Click - someone in your AS has malware which changes their =
DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean o=
nes around November 2011 and now it seems like the FBI is trying to contact=
everyone who is still talking to that server.
FBI seems to have a list of netblocks hosting rogue DNS servers here:
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
So if one of the computers inside your network is talking to one of those I=
Ps for DNS, you probably have malware.
Drew
On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote:
> The 3rd email they sent:
>=20
> This email is intended to provide clarification on a previous email
> sent to you. You will be receiving a letter by U.S. Postal Service in
> the coming days. In the meantime, please visit the link below which
> provides more details on the investigation and identifying you as a
> possible victim:
>=20
> www.fbi.gov/news/stories/2011/november/malware_110911
>=20
> --
> Tim
>=20
