Do you have a Sinkhole in your Network?March 9, 2015 No Comments
You may have heard of botnets like DNS Changer or Conficker that have been taken down by law enforcement agencies in various countries. What you may not be aware is that millions of computers are still infected by these sorts of ‘zombie’ malware. DNS Changer, for example, has proven to be a very tough piece of malware to remove and many computers are still running it. Worse, the IP addresses that were used by DNS changer have been reassigned and some have been given to highly suspicious entities. If any computers on your network are still infected then they are probably ripe for exploitation by a new set of cyber-criminals.
What is DNS Changer?
On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, which expired July 9, the Internet Systems Consortium operated replacement DNS servers for the Rove Digital network. These servers meant that infected computers could continue to access the Internet until they could be cleaned up. This has now stopped and the IP address space has been recycled. Some of it is now in the hands of suspicious characters, meaning any computers still infected may get reinfected with new malware. More info from the DNS Changer Working Group at http://www.dcwg.org/
What is Conficker?
Conficker has been around in various forms since 2008. There are at least 5 variants (usually called A, B, C, D and E respectively) and it affects all Microsoft OSes prior to Windows 7 including Windows Server 2008. It has spread widely using a variety of vulnerabilities and there are still millions of computers infected with it today. Thanks to efforts of a number of technology companies who formed the Conficker Working Group the domains it tries to call home to are all sinkholed, but it remains a threat because it foils many security updates. Moreover Conficker E installed a spamming bot (Waledac) and other malware and through these it is possible that a Conficker infected PC is also infected with other actively malicious software.
In other cases (e.g. Conficker) the malware is still inactive because the places the infected computers try to call home to are still in the hands of the good guys. But even in these cases that means they probably are not as up to date with their security software as you might think because most of these trojans disable antivirus and updates of antivirus, flash and so on. This means that they are at far greater risk of infection with new malware that exploits security holes that have already been fixed for most computers.
Frequently ISPs will detect that their customers are accessing known sinkholes for malware and send them an email to warn them. Unfortunately in most cases the IP address they report is the IP address of the firewall and it has dozens, perhaps hundreds of computers NATed behind it so figuring out which computer is actually infected are a nightmare. We’re offering a free log parser to scan your firewall logs to detect the internal NATed addresses of infected computers.
Use this tool to see if you have sinkholes – http://threatstop.com/sinkhole
This tool will parse logfiles from firewalls, IDSes and so on to see whether any computers on your network are using the DNS Changer IP addresses for their DNS or are attempting to contact the sinkholes for other malware such as Conficker. This is done by parsing logfiles uploaded to us and extracting lines that contain the DNS Changer or Sinkholed addresses. You will be given a report that tells you what IP addresses on your network are communicating with these servers.
We limit the size of log files that may be parsed to 1 Mbytes. If you have larger log files, break them up or contact ThreatSTOP and we will provide you with an alternate access method. This can also be done if you have a lot of small log files. We reserve the right to block uploads from IP addresses that appear to be abusing our service. This may include uploading logfiles that we are unable to parse, so please ensure that you upload a logfile that is in uncompressed plain text format. We are using a fairly general purpose parser and all we need are source and destination IP addresses in standard IPv4 notation (18.104.22.168) so pretty much any kind of text log file should work.
Sample Sinkhole Report
ThreatSTOP has analyzed your log data and found 13 attempts to connect to Sinkholed Malware servers by 5 different IP addresses
|Log Lines Checked||Infected||Clean|
|IP Address||Count||Raw Log Line(s)|
|192.168.124.129||6||<158>1 2012-07-05T16:03:48.141Z TEST-SR[...]
< 158>1 2012-07-05T16:10:28.141Z TEST-SR[...]
< 158>1 2012-07-05T16:13:14.141Z TEST-SR[...]
< 158>1 2012-07-05T16:31:08.141Z TEST-SR[...]
< 158>1 2012-07-05T16:32:04.141Z TEST-SR[...]
< 158>1 2012-07-05T16:39:44.141Z TEST-SR[...]
|192.168.124.123||3||<158>1 2012-07-05T16:03:48.141Z TEST-SR[...]
< 158>1 2012-07-05T16:03:49.141Z TEST-SR[...]
< 158>1 2012-07-05T16:03:48.141Z TEST-SR[...]
|192.168.124.14||2||<158>1 2012-07-05T16:03:48.141Z TEST-SR[...]
< 158>1 2012-07-05T16:05:58.141Z TEST-SR[...]
|192.168.124.25||1||<158>1 2012-07-05T16:03:48.141Z TEST-SR[...]|
|192.168.124.126||1||<158>1 2012-07-05T16:03:48.141Z TEST-SR[...]|
Note to see the full log line click on the [...]
What do the results mean?
Any IP address which is listed on the results page has attempted to contact an IP address used by DNS Changer. These IP addresses are not used by anything except the DNS changer servers hosted by ISC so it is highly likely that the computer at that IP address is infected with DNS changer. Using your internal address management tools you can identify the computer and then clean it up. We put the raw log line on the report so that you can see the time(s) of the event(s) which will help if you have relatively short DHCP leases on your network. How do I clean up suspect computers?
How do I clean up suspect computers?
One reason why there are so many computers still infected is that it is hard to clean them up. This page (http://www.dcwg.org/fix/) gives a lot of good information and recommends that users follow one of the guides.
Francis Turner has worked for over 20 years in the IT and data communication industries, starting with a stint at IBM in the mid 1980s before reading Computer Science at Cambridge University. Subsequently he worked for Madge Networks and Bay Networks. After the latter merged with Nortel, he became the European Product Manager for their enterprise switching division. In 2001 he left Nortel Networks to be CIO at a small biotech company that was seminal in the use of computation in the analysis and creation of new enzymatic processes. Most recently he worked at a consultancy firm assisting ICT companies with their multinational product marketing and business development.