Beware! DNS Changer’s IP Blocks are re-allocated and advertised!

(Last Updated On: August 10, 2012)

As of Friday morning (August 10, 2012), the IP address blocks used by the Rove Digital criminal operations have been re-allocated by RIPE-NCC and advertised to the Internet:

http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&query=1&arg=85.255.112.0%2F20

http://www.ris.ripe.net/dashboard/85.255.112.0/20

As a reminder, the Rove Digital/DNS Changer Crew used the following IP address blocks for their nefarious activities:

85.255.112.0/20

67.210.0.0/20

93.188.160.0/21

77.67.83.0/24

213.109.64.0/20

64.28.176.0/20

From November 9th, 2011  until July 9th, 2012, the DNS Changer Working Group with the FBI hosted clean DNS servers to help victims clean up their systems. On July 9th, 2012, these servers were shut down and the IP blocks were removed from the global routing table.

It was assumed that these blocks would remain in limbo until all the court proceedings were completed. The “assumption” was not correct. Alarms that many service providers and security professionals put in place to watch for miscreant “hijacking” of these IP address block were triggered early on Friday. What was a surprise was that these blocks were not “hijacked,” but re-allocated.

85.255.112.0/20 was previously Promnet Ltd but has now been reallocated to INEVO-NET (see http://bgp.he.net/AS56831)

93.188.160.0/21 was was previously Promnet Ltd but has now been reallocated to LT-HOSTING

Of course this could be a false alarm. When you take the existing INEVO-Net block and look for miscreant activities, we find the following:

While not a detailed analysis of AS 56831’s cleanliness, the quick check calms some fears. Still until all the details are in, operators should treat the network with suspicion.

Why is this a problem?

DNS Changer was not the only malicious activities inside these Netfblocks. Who ever controls these netblocks can hijack computers that are still infected with DNS Changer and other malware. The way these netblocks are reallocated and surprise at the speed of the reallocation exacerbates the concern. This move by RIPE surprised many in the security industry, law enforcement, and participants of the DCWG. Given the surprise, network operators should be very cautious with any traffic to/from these netblocks.

What should you do to protect your network and your customers?

First, monitor traffic to and from these netblocks. If you do not have the resources, then consider filtering all traffic to and from these netblocks until you receive the all clear.

How would you filter

 

Complements and Kudos to my peers in several security groups who had the alarms set up and watching for any chances to the DNS Changer netblocks. It is hard to hide on the Internet. 🙂