Potentially tens of thousands of machines once infected by the DNS Changer may be at risk of hijacking after IP address blocks were reallocated last week.
DNS Changer, a piece of malware that could manipulate search results on a victim’s machine, came into focus early last month as the Internet Systems Consortium (ISC) prepared to shut down servers that maintained over 200,000 victims’ connection to the internet.
ISC had controlled servers that replaced the infrastructure a criminal Estonian group Rove Digital had used to conduct its business, but a court order only gave ISC the authority to maintain those servers until July 9.
The servers connected to a series of IP address blocks that are regulated by Netherlands-based regional internet registry Réseaux IP Européens Network Coordination Centre (RIPE NCC).
Last week RIPE NCC reallocated those address blocks, meaning whoever owns them now could use them to hijack DNS Changer victims’ machines, according to Barry Greene, the former CEO and president of ISC.
“It was assumed that these blocks would remain in limbo until all the court proceedings were completed. The 'assumption' was not correct,” wrote Greene on Tuesday, warning carriers and ISPs to keep a close eye on these address blocks.
“Who ever controls these netblocks can hijack computers that are still infected with DNS Changer and other malware,” Greene added, pointing out that there were other malicious actors that operated within these address blocks.
Greene said RIPE’s move “surprised” many in the security industry, law enforcement, as well as participants of the DNS Changer Working Group (DCWG)—the industry group that had spearheaded efforts to minimise the impact of the ISC’s server switch off.
The DNS Changer malware altered the Domain Name Service (DNS) settings on victims’ computers, in effect changing the details of the internet address book victim machines relied on to connect to a website.
The main focus of the internet and security industries in the months leading up to the July 9 cut-off date was to ensure that users reset their DNS settings in order to ensure they would continue to be able to connect to the internet after ISC switched off the servers it maintained.
While it did achieve large reductions, at the time of the deadline, DCWG estimated at the time that there remained over 200,000 unique IP addresses classified as “victims”.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.