Operation Ghost Click

Excuse the horrible subject :slight_smile:

Anyone have anything insightful to say about it? Is it just lots of fuss about nothing or is it an actual substantial problem?


"Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time."

Yes its a major problem for the users unknowingly infected. To them
it will look like their Internet connection is down. Expect ISPs to
field lots of support calls.

Based on conversations on this list a month or so ago, ISPs were contacted with details of which of their IPs had compromised boxes behind them, but it seems the consensus is that ISP were going to just wait for users to phone support when it broke rather than be proactive about it.


Yes its a major problem for the users unknowingly infected. To them
it will look like their Internet connection is down. Expect ISPs to
field lots of support s

Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact?

I suggest you reach out to Shadowserver or Team Cymru if you're a
netblock owner. They can provide daily reports of infected IPs.


Andrew Fried

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf through through through through through through

Thanks, Andrew. I was out and about, and couldn't remember the prefixes
off-hand. They should have been in that PDF, iirc

The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up. Not all ISPs are non-proactive.


And what about the millions of users unknowingly infected with
"something else" ??

These people need help, at least the "Ghost Click" victims will have a
clue after July 9, unless we opt to extend our head-in-the-sand period.

(We have enough trouble isolating/remediating issues among our
relatively small user base, I'd hate to be facing a major ISP size
support/remediation effort...)

Does anyone have a plan?


Please look at www.dcwg.org


Or for those that don't want to do the math, here they are in CIDR notation

O'Reirdan, Michael wrote:

Please look at www.dcwg.org

Thanks all for the information.

It looks like the practical upshot is that computers that have been infected and not yet fixed may loose the ability to resolve names into IP addresses starting sometime after July 9, which is when the replacement nameservers are supposed to be stopped.

That in and of itself is quite a nuisance for the individual as well as the ISP helldesks but it could have been worse. I would certainly not call it "Internet doomsday".


If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!!

Ameen Pishdadi

you're obviously lucky, and don't have "stupid" grandparents.

Nope there dead unfortunately but if they were alive I'd clean up there machines maybe give them chrome books something idiot proof

Ameen Pishdadi

And they'd know they were infected, how, exactly? (Think carefully
before answering that, and keep in mind that although *you* may
be the world's greatest IT specialist, the average Joe Sixpack wants to
surf the web and read his e-mail, and does *not* understand (or
even *want* to) very much about computer security).

At some point in like 10 years when all the computer illiterate people are
gone there will be no more excuses for not being educated on malware and
viruses. While I understand the ISP doesn't want to possibly cut into there
profit margins they could easily put in place monitoring tools that can
detect network traffic that is malware bound and reach out to the customer
by email, phone and if need be by person.

How much of tax payer money is spent to pay these FEDERAL (F.B.I.) agents
to sit here and baby sit these computer ignorant and illiterate people for
6 months? So for the big ISPs like comcast i should pay out of my tax money
because they cannot properly enforce a network policy that would require
them to actually give a crap what is coming out of there network?

There is always going to be viruses and malware, they will find ways to get
them through but for heavens sake why would we if identified leave millions
of compromised machines online with an attempt to do a cleanup? YOU as a
network operator have a responsiblity to the other 40,000 AUTONOMOUS
network to make sure your not polluting our private network infrastructure
with garbage coming from your users and network. Clean up your mess.

Like we will not tolerate spammers being housed on 'hosting' networks why
should tolerate malware and infections coming from ISP's??? How much money
is spent cleaning up hacked word press servers and udp.pl scripts...

This is much bigger issue then at any cost making sure a user can get on to
facebook to upload a picture of there cat sleeping upside down. If we
enforced a proper policy and held network activity to certain standards the
ISP's would fix the issue of ignorant users themselves by #1 educating
there users , #2 implementing network monitoring on there outbound traffic
to identify sources of infected and compromised machines, #3 implementing a
cleanup policy, #4 letting the end user know they have a responsibility to
make sure the machines they access the network from are clean and to do
checks and to do there antivirus updates and os updates.

Oh yah, and if we got all these 'supporting' DNS servers up why not just
direct ALL users of it, who are clearly infected to a temporary page that
will enlighten the customer that they are infected and give them
instructions on clean up and give them a deadline of when there service
will stop......... How hard is that?

multiple users behind that NAT'd router as long as there not infected they
won't be shut off when those DNS servers go dark.

And if daddy is dumb enough to let his 8 year old son use his PC or laptop
w/o proper monitoring and gets infected thats his fault. I know I dont let
my 10 year old use my work computers , and he knows how to code , but he is
still a child and clicks stupid things.

Your basically telling me the ISPs should not take any responsibility, well
then how can we get pissed off when a host lets a spammer spam for a week
straight and is aware and doesn't shut them off, or notices a DDOS attack
is stemming from there network, a customer has 5-6 servers he pays for with
unmetered gigabit ports and is clearly blasting someone to hell and back
with spoofed packets , but because there margins are so thin they shouldn't
turn him off and cancel him so they do not have to cut into there

In the network world your either on the content side or the eyeball side,
and the eyeball networks seem to have double standards when it comes to
network abuse. Until this ends and the double standards stop the amount of
malware and attacks will never go decrease.

I say to your 'it costs the isp money' to do cleanup, that it costs content
providers money to do cleanup of constantly being scanned and probed and
hacked by what is mostly hacked end-user machines who got owned browsing
the internet because they went to a website that had a virus installed by
another end-users machine who was compromised the same way, its a vicious
circle and as an operator of a content provider im tired of the other half
of the internet not taking there share of the responsibility.

/End of rant..

* Jeff Kell:

And what about the millions of users unknowingly infected with
"something else" ??

You have to start somewhere. I received a warning letter, and four or
five very organizations had to cooperate in new ways to make this
happen. This is certainly a welcome development, and hopefully, this
experience can be used for other mitigation efforts.