[152362] in North American Network Operators' Group
RE: Operation Ghost Click
daemon@ATHENA.MIT.EDU (Frank Bulk)
Thu Apr 26 20:40:05 2012
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Paul Graydon'" <paul@paulgraydon.co.uk>,
<nanog@nanog.org>
In-Reply-To: <4F99C288.1030705@paulgraydon.co.uk>
Date: Thu, 26 Apr 2012 19:38:54 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The good folks at Shadowserver has been giving us a feed of IPs that are =
hitting those DNS server since November and last month we got the last =
of the customers cleaned up. Not all ISPs are non-proactive.
Frank
-----Original Message-----
From: Paul Graydon [mailto:paul@paulgraydon.co.uk]=20
Sent: Thursday, April 26, 2012 4:48 PM
To: nanog@nanog.org
Subject: Re: Operation Ghost Click
On 04/26/2012 11:44 AM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen@mompl.net> =
wrote:
>> Excuse the horrible subject :-)
>>
>> Anyone have anything insightful to say about it? Is it just lots of =
fuss
>> about nothing or is it an actual substantial problem?
>>
>> http://www.fbi.gov/news/stories/2011/november/malware_110911
>>
>> "Update on March 12, 2012: To assist victims affected by the =
DNSChanger
>> malicious software, the FBI obtained a court order authorizing the =
Internet
>> Systems Consortium (ISC) to deploy and maintain temporary clean DNS =
servers.
>> This solution is temporary, providing additional time for victims to =
clean
>> affected computers and restore their normal DNS settings. The clean =
DNS
>> servers will be turned off on July 9, 2012, and computers still =
impacted by
>> DNSChanger may lose Internet connectivity at that time."
>>
>> --
>> Earthquake Magnitude: 5.5
>> Date: Thursday, April 26, 2012 19:21:45 UTC
>> Location: off the west coast of northern Sumatra
>> Latitude: 2.6946; Longitude: 94.5307
>> Depth: 26.00 km
>>
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.
>
Based on conversations on this list a month or so ago, ISPs were=20
contacted with details of which of their IPs had compromised boxes=20
behind them, but it seems the consensus is that ISP were going to just=20
wait for users to phone support when it broke rather than be proactive=20
about it.
Paul
