Subscribe:
09 Jul 2012
By Glenn Chisholm
Jul
09
2012

DNS Changer – We’ll be redirecting customers

blog-dns-changer-bannerl

In one of my previous posts, I wrote about the DNSChanger malware and shared some tips on how to fix your infected computer. Today, 9 July is D-Day when the temporary servers that were setup by the FBI will be shut down and an estimated 250,000 people worldwide will be unable to browse the Internet.

By analysing our network and working with the Australian Government and other industry partners we know that there are at least 2500 Telstra endpoints currently affected. Since many of our customers have more than one device behind their Internet connection, the infection rate could be higher.

We’ve put in a lot of effort to contact customers over the past couple of months and help them to remove the malware and correct their DNS settings. The reality is we know that there are still customers out there that are affected and we don’t want them to lose access to the Internet. A reliable Internet service is not only something our customers pay for, but is something that can be their source of income or contact with the outside world.

So we’ve established a temporary network solution that will redirect infected customers away from the servers that will be turned off, so the Internet can be browsed as normal.  In simple terms, this redirection overcomes the hijacking of their domain name requests by the malware and allows Telstra to respond to these queries. Once infected  customers change their DNS settings to any legitimate server, whether provided by Telstra or a third party, the redirection will cease.  We want to make sure that customers understand how this redirection works, especially if they are infected.

Telstra will redirect only those addresses identified by the FBI as part of their investigation to our Bigpond DNS servers, while the redirect will catch any traffic we are only listening to UDP/TCP DNS requests, all other requests will be silently dropped.

The IP address ranges which are being redirected are:

85.255.112.0/20

213.109.64.0/20

64.28.176.0/20

67.210.0.0/20

93.188.160.0/21

77.67.83.0/24

The redirection is managed within Telstra’s Bigpond network and only applies to Bigpond ADSL, Cable, Wireless and FTTP customers.

This redirection will enable us to continue to be able to identify infected customers so we can continue to work closely with them and help them remove the malware and fix their DNS settings.

As well as allowing customers infected with the DNSChanger malware to continue to browse the Internet, the redirection means customers can continue to get an accurate picture of their infection status at ACMA’s DNSChanger diagnostic website at www.dns-ok.gov.au. This website also has instructions on how to remove the malware; however fixing DNS settings is not so simple for the uninitiated. Further information is available at www.telstra.com.au/protection or by calling BigPond Technical Support on 13 3933.

This malware is an example of why it is really important to keep your PC protected with antivirus software. Telstra’s BigPond Security protects from malware such as the DNSChanger and is available to new customers on a 30 day free trial. Even if customers choose not to subscribe to full protection after the trial period, they will retain Anti-Virus protection for free.

By

Posts: 4

2 Comments

  1. Sam Spade says:

    I hope you are doing something to proactively notify users when they are redirected. Perhaps by injecting an iframe alert banner across the top of every web page?

  2. Glenn Chisholm says:

    Hi Sam

    We certainly have been contacting customers well before the shutdown to let them know they were infected. We established the redirection as we knew there would be people who would not have had the opportunity to correct their settings.

    Anyone redirected in this process will be contacted to assist them to remove the malware and correct their settings.

    As for injecting the iFrame, we are catching and returning a valid DNS request for our customers. Injecting ourselves into their HTTP traffic would be a last resort.

    Glenn

Leave a Comment


5 + three =

Heads up! You are attempting to upload an invalid image. If saved, this image will not display with your comment.