US DOJ victim letter

We have received three emails from the US Department of Justice Victim
Notification System to our ARIN POC address advising us that we may be
the victim of a crime. Headers look legit.

We have been frustrated in trying to follow the rabbit hole to get any
useful information. we've jumped through hoops to get passwords that
don't work and attempted to navigate a voice-mail system that resembles
the "twisty maze of passages all different" from an old text adventure
game.

This *seems* to be legit, and I would think that the end result is
likely to be a list of IP addresses associated with infected hosts.

Has anyone else received the email? Is it legit? If so has anyone
successfully navigated the maze, and if so how? Is it worth it?

(And why don't they just send the list of infected IPs to the ARIN
contact in the first place?)

AS2381 has also received them, we are no further along in this than you are.

The 3rd email they sent:

This email is intended to provide clarification on a previous email
sent to you. You will be receiving a letter by U.S. Postal Service in
the coming days. In the meantime, please visit the link below which
provides more details on the investigation and identifying you as a
possible victim:

www.fbi.gov/news/stories/2011/november/malware_110911

We've also received the emails and ignored them. If the US DOJ needs to contact us they use the postal service.

The body of the email indeed reads like a poorly-executed phish
including elements such as "null" and "<personalized code here>" but
headers seem legit.

We've been getting them too. I haven't event thought to follow up. DOJ
won't email you with a do not reply.

If it's related to the same emails I've received from the DOJ over the past 3 days:

It's related to a case against a few Estonians involved with DNSChanger malware.

www.fbi.gov/news/stories/2011/november/malware_110911

Same here. No idea who the intended recipient organization is, as it was sent to our generic tech contact email address that is used for a bunch of ASes, ARIN accounts, domains, etc. There are pretty much no details in the message.

-Randy

I asked a local contact if it was legit and he confirmed that it is.

Wait for the paper mail.

I was amused to discover that to proceed on the web, I had to enter my
last name as "Representative" -- as in "Dear Business Representative".
Yep, really.

AlanC

Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server.

FBI seems to have a list of netblocks hosting rogue DNS servers here:
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware.

Drew

Once upon a time, Alan Clegg <alan@clegg.com> said:

I was amused to discover that to proceed on the web, I had to enter my
last name as "Representative" -- as in "Dear Business Representative".
Yep, really.

<aol>me too</aol>

After I got yet more such generic and useless info, I lost interest. I
tried to go back and log in again, only to get this error from clicking
"Login" on the main page:

   The page you have requested does not exist, or can not be accessed.
   Please log in to the application from the main login page.

The link is back to the same login page. Hope it isn't anything
actually important, as the emails and website have been a complete
useless joke (that some contractor probably got millions for).

Once upon a time, Andrew D. Dibble <adibble@quantcast.com> said:

FBI seems to have a list of netblocks hosting rogue DNS servers here:
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So should I try to type in all the IPs on my network, one at a time? Oh
wait, that page requires Javascript to check an IP; like I'm going to
allow the FBI to run JS on my computer.

We took the CIDR blocks listed here;
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-ma
lware.pdf

And ran them against net flow data from our external links and were able
to generate a list of subscriber IP addresses that were using the rogue
DNS servers.

Lane

Knowing it's JS, I looked at the source, and here's the "rogue" ranges:

var IP_RANGES = [
    [[85, 255, 112, 0], [85, 255, 127, 255]],
    [[67, 210, 0, 0], [67, 210, 15, 255]],
    [[93, 188, 160, 0], [93, 188, 167, 255]],
    [[77, 67, 83, 0], [77, 67, 83, 255]],
    [[213, 109, 64, 0], [213, 109, 79, 255]],
    [[64, 28, 176, 0], [64, 28, 191, 255]]
];

Show me an ISP which doesn't have end-user PCs infected with malware

Simon

+1 on these emails we have received 3 of them.

Carlos Alcantar
Race Communications / Race Team Member
101 Haskins Way, So. San Francisco, CA. 94080
Phone: +1 415 376 3314 / carlos@race.com / http://www.race.com

Once upon a time, Alan Clegg <alan@clegg.com> said:

I was amused to discover that to proceed on the web, I had to enter my
last name as "Representative" -- as in "Dear Business Representative".
Yep, really.

<aol>me too</aol>

After I got yet more such generic and useless info, I lost interest. I
tried to go back and log in again, only to get this error from clicking
"Login" on the main page:

   The page you have requested does not exist, or can not be accessed.
   Please log in to the application from the main login page.

The link is back to the same login page. Hope it isn't anything
actually important, as the emails and website have been a complete
useless joke (that some contractor probably got millions for).

Three here as well.

They are related to the DNSChanger and Ghostclick malware as ML said. The
e-mails to us did come from the DOJ e-mail servers and were legitimate. The
phone number is legit as well.

On a less serious note, did anyone notice the numbers on the fbi.gov link? I'm pretty sure they are implying those are IP addresses. 123.456.789 and 987.654.321. Must be the same folks that do the Nexus documentation for Cisco.

-Hammer-

"I was a normal American nerd"
-Jack Herer

And write the scripts for various TV shows.

"Able to reconstruct an HD image from a single pixel. It's _CSI_!"