Intro
This Fox News article about infected computers was brought to my attention:
Hundreds of thousands may lose Internet in July
Hey, their URLs look like my URLs. Wonder if they’re using WordPress.
But I digress. I was asked if this is a hoax. I really had to puzzle over it for awhile. It smells like a hoax. I didn’t find any independent confirmation on the isc.org web site, where I get my BIND source files from. I didn’t see a blog post from Paul Vixie mentioning this incident.
And the comments. Oh my word the comments. Every conspiracy theorist is eating this up, gorging on it. The misinformation is appalling. There is actually no single comment as of this writing (100+ comments so far) that lends any technical insight into the saga.
Let’s do a reset and start from a reasonable person basis, not political ideology.
To recount, apparently hundreds of thousands of computers got hacked in a novel way. They had their DNS servers replaced with DNS servers owned by hackers. in Windows you can see your DNS servers with
> ipconfig /all
in a CMD window.
Look for the line that reads
DNS Servers…
These DNS servers could redirect users to web sites that encouraged users to fill out surveys which generated profit for the hackers.
It’s a lot easier to control a few servers than it is to fix hundreds of thousands of desktops. So the FBI got permission through the courts to get control of the IP addresses of the DNS servers involved and decided to run clean DNS servers. This would keep the infected users working, and they would no longer be prompted to fill out surveys. In fact they would probably feel that everything was great again. But this solution costs money to maintain. Is the FBI running these DNS servers? I highly, highly doubt it. I’ll bet they worked with ISC (isc.org) who are the real subject matter experts and quietly outsourced that delicate task to them.
So in July, apparently, (I can’t find independent confirmation of the date) they are going to pull the plug on their FBI DNS servers.
On that day some 80,000 users in the US alone will not be able to browse Internet sites as a result of this action, and hundreds of thousands outside of the US.
If the FBI works with some DNS experts – and Paul Vixie is the best out there and they are apparently already working with him – they could be helpful and redirect all DNS requests to a web site that explains the problem and suggests methods for fixing it. It’s not clear at this point whether or not they will do this.
That’s it. No conspiracy. The FBI was trying to do the right thing – ease the users off the troubled DNS services to somewhat minimize service disruption. I would do the same if I were working for the FBI.
Unfortunately, feeding fodder to the the conspiracists is the fact that the mentioned web site, dcwg.org, is not currently available. The provenance of that web site is also hard to scrutinize as it’s registered to an individual, which looks fishy. But upon digging deeper I have to say that probably the site is just overwhelmed right now. It was first registered in November – around the time this hack came to light. It stands for DNS Changer Working Group.
Comparitech provides more technical details in this very well-written article: DNS changer malware.
Another link on their site that discusses this topic: check-to-see-if-your-computer-is-using-rogue-DNS
Specific DNS Servers
I want to be a good Netizen and not scan all the address ranges mentioned in the FBI document. So I took an educated guess as to where the DNS servers might actually reside. I found three right off the bat:
64.28.176.1
213.109.64.1
77.67.83.1
Knowing actual IPs of actual DNS servers makes this whole thing a lot more real from a technical point-of-view. Because they are indeed unusual in their behaviour. They are fully resolving DNS servers, which is a rarity on the Internet but would be called for by the problem at hand. Traceroute to them all shows the same path, which appears to be somewhere in NYC. A DNS query takes about 17 msec from Amazon’s northeast data center which is in Virginia. So the similarity of the path seems to suggest that they got hold of the routing for these subnets and are directing them to the same set of clean DNS servers.
Let’s see what else we can figure out.
Look up 64.28.176.1 on arin.net Whois. More confirmation that this is real and subject to a court order. In the comments section it says:
In accordance with a Court Order in connection with a criminal investigation, this registration record has been locked and during the period from November 8, 2011 through March 22, 2012, any changes to this registration record are subject to that Court Order. |
I thought we could gain even more insight looking up 213.109.64.1 which is normally address range outside of North America, but I can’t figure out too much about it. You can look it up in the RIPE database (ripe.net). You will in fact see it is registered to Prolite Ltd in Russia. No mention of a court order. So we can speculate that unlike arin.net, RIPE did not bother to update their registration record after the FBI got control. So Prolite Ltd may either have been an active player in the hack, or merely had some of their servers hacked and used for the DNSchanger DNS server service.
Of course we don’t know what the original route looked like, but I bet it didn’t end in new York City, although that can’t be ruled out. But now it does. I wonder how the FBI got control of that subnet and if it involved international cooperation.
7/9 update
The news reports re-piqued my interest in this story. I doubled back and re-checked those three public DNS servers I had identified above. 64.28.176.1, etc. Sure enough, they no longer respond to DNS queries! The query comes back like this:
$ dig ns com @77.67.83.1
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> ns com @77.67.83.1 ;; global options: +cmd ;; connection timed out; no servers could be reached |
Conclusion
As a DNS and Internet expert I have some greater insight into this particular news item than the average commentator. Interested in DNS? Here’s another article I wrote about DNS: Google’s DNS Servers Rock!
References and related
Here’s a much more thorough write-up of the DNS Changer situation: http://comparitech.net/dnschangerprotection
3 replies on ““FBI’s” DNS Severs – Trying to Clear Some of the Hysteria”
Is it possible that the FBI uses NPR servers to conduct criminal investigations? I have some reason to suspect that the FBI uses a hacking tool that is installed on the locally on the target users machine, with a virtual machine rolled out on NT Server, with.NET framework, in C++ using IIS and other Windows features that are now found on every Windows machine, but not typically in service on home based machines. The VM would be it’s own website that acts as a remote desktop, that is set up as a back door and hosted on NPR’s servers. If I’m really going out on a limb, I’d say that it takes about 5 minutes to install on the and looks just like any regular Windows 10 update, only in this case the OS is replaced by a version of Windows NT that takes the OEM filed and installs them over the top of the NT system, so it appears seamless to the user. I’m not an expert, by any means (seriously, I barely understand any of this), I just put together some seemingly random pieces of a puzzle and happened to read your article, but I’d like your opinion.
I think you’re just throwing buzzwords together in a kind of word salad and you have no idea what you’re talking about.
Not exactly. I was arrested in my apartment on Sunday, December 11th, I still don’t know what the reason was, but 2 deputies from Riverside SD (Temecula PD, to be exact), had my former roommate break a downstairs window to let them in. I’ve never been a suspect of any crime, much less subject to a no-knock, warrant-less search, incident to an arrest and I’ve held DoD and DoS clearances, until my last LoA expired in 2012. I’ve never been on the wrong side of the law, but my roommate suddenly moved out and got a temporary restraining order and I was served on Friday. Before I had any chance to appeal it, I was arrested for “disturbing the peace”, after just waking up to the sound of breaking glass. I wasn’t even allowed to put on pants, until they dropped me off at the jail and I was given sweats, 4 hours later. I spent 12 hours in custody, because “the sergeant forgot to sign my release”. My EX-roommate’s excuse for being at the apartment was that he needed to change the locks. Coincidentally, that took him 12 hours, I found the key on my own, but when I got inside,there were 2 texts from him telling me where he hid my key, which were sent 5 minutes before they released me from jail. There are more details, which only make it more convoluted, butt they clearly thought they were going to find something. I think the job done on my computer was just a fishing expedition, that resulted from failing in their primary objective and suddenly needing a very good reason for being there and seriously violating the civil rights of a 16 year combat veteran. I was in custody for 6 hours, before the program was installed on my computer and they apparently took my laptop somewhere else, because they erased my location history for 2 days before and after. I doubt I would have figured it out, but my computer was refurbished and it installed the original release of windows 10, which was nothing like the upgraded version on my computer when I bought it. When it wouldn’t update, I started digging through the event logs and found everything I listed above. There were services installed that don’t come on the home edition and the event logs told me where to find everything. I considered the possibility that it was all installed there before I bought it and someone did a system restore, but that doesn’t explain how they got past my BIOS and hard drive password, why the log said it was installing the new operating system, with certificates that were assigned to and the event log that was unbroken when it migrated my user profiles over to the new OS. I still feel like I must be paranoid, but there are too many things that defy all but one possible explanation. Having some idea what our federal government pays for software licensing, I know the price tag has to be a little more than even a California Sheriff’s department could hide in their budget, and it took little research to find out that the FBI is purported to have a million dollar hacking tool that they’ve not said anything about. They also have an inland county task force in Riverside and the District Attorney has pulled down his fair share of child pornographers lately; no one is too concerned how. The federal law regulating how warrants are applied to remote access of personal computers changed on December 1st, making it possible to obtain a federal warrant from one of 500 federal magistrates, but they installed this locally and it seems like an afterthought, because they cut it down to the last possible minute, before releasing me. I’ve talked A LOT of S*** to the entire chain of command for Temecula Police Department, since then. They’ve done several things in response, one o f them being to change the date and the offense I was arrested for, but it still doesn’t hold water and I’ve been increasingly public and offensive with my criticism. There’s little to no possibility that they’re going to hide it in trial, as long as I keep my criticism public; enough; which is why I posted my actual name. I personally think that they were looking for a gun that the “victim” said I had, but there are other possibilities I know the hacking tool is real and I’ was told by a trusted friend, not to pursue it in court, which I really don’t need to do. I do need to make sure there are enough people paying attention to keep them from sweeping it under the carpet, though and evidence of that computer programming making it’s public debut to credible accusations of civil rights and 4th, 5th and 14th amendment violations does deserve the kind of attention I need to ensure justice in court. I need to go to trial and face my accusers, so I can expose the public corruption and conspiracy that led them to pick this fight in the first place.