We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit. We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game. This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts. Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it? (And why don't they just send the list of infected IPs to the ARIN contact in the first place?) -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote:
We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit.
We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game.
This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts.
Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it?
(And why don't they just send the list of infected IPs to the ARIN contact in the first place?)
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
We've also received the emails and ignored them. If the US DOJ needs to contact us they use the postal service. On 01/19/2012 03:01 PM, Michael Hare wrote:
AS2381 has also received them, we are no further along in this than you are.
On 1/19/2012 2:59 PM, Jay Hennigan wrote:
We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit.
We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game.
This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts.
Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it?
(And why don't they just send the list of infected IPs to the ARIN contact in the first place?)
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On 01/19/2012 04:01 PM, Michael Hare wrote:
AS2381 has also received them, we are no further along in this than you are.
On 1/19/2012 2:59 PM, Jay Hennigan wrote:
We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit.
We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game.
This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts.
Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it?
(And why don't they just send the list of infected IPs to the ARIN contact in the first place?)
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
If it's related to the same emails I've received from the DOJ over the past 3 days: It's related to a case against a few Estonians involved with DNSChanger malware. www.fbi.gov/news/stories/2011/november/malware_110911
Same here. No idea who the intended recipient organization is, as it was sent to our generic tech contact email address that is used for a bunch of ASes, ARIN accounts, domains, etc. There are pretty much no details in the message. -Randy ----- Original Message -----
AS2381 has also received them, we are no further along in this than you are.
On 1/19/2012 2:59 PM, Jay Hennigan wrote:
We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit.
We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game.
This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts.
Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it?
(And why don't they just send the list of infected IPs to the ARIN contact in the first place?)
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
The 3rd email they sent: This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as a possible victim: www.fbi.gov/news/stories/2011/november/malware_110911 -- Tim
Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server. FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware. Drew On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote:
The 3rd email they sent:
This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as a possible victim:
www.fbi.gov/news/stories/2011/november/malware_110911
-- Tim
Once upon a time, Andrew D. Dibble <adibble@quantcast.com> said:
FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to check an IP; like I'm going to allow the FBI to run JS on my computer. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
We took the CIDR blocks listed here; http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-ma lware.pdf And ran them against net flow data from our external links and were able to generate a list of subscriber IP addresses that were using the rogue DNS servers. Lane -- Lane Powers Southwest Arkansas Tel On 1/19/12 3:19 PM, "Chris Adams" <cmadams@hiwaay.net> wrote:
Once upon a time, Andrew D. Dibble <adibble@quantcast.com> said:
FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to check an IP; like I'm going to allow the FBI to run JS on my computer.
-- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Knowing it's JS, I looked at the source, and here's the "rogue" ranges: var IP_RANGES = [ [[85, 255, 112, 0], [85, 255, 127, 255]], [[67, 210, 0, 0], [67, 210, 15, 255]], [[93, 188, 160, 0], [93, 188, 167, 255]], [[77, 67, 83, 0], [77, 67, 83, 255]], [[213, 109, 64, 0], [213, 109, 79, 255]], [[64, 28, 176, 0], [64, 28, 191, 255]] ]; On Thu, Jan 19, 2012 at 2:19 PM, Chris Adams <cmadams@hiwaay.net> wrote:
Once upon a time, Andrew D. Dibble <adibble@quantcast.com> said:
FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to check an IP; like I'm going to allow the FBI to run JS on my computer.
-- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
We've been getting them too. I haven't event thought to follow up. DOJ won't email you with a do not reply. On Thu, 2012-01-19 at 12:59 -0800, Jay Hennigan wrote:
We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit.
We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game.
This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts.
Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it?
(And why don't they just send the list of infected IPs to the ARIN contact in the first place?)
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
-- ************************************************************ Michael J. McCafferty CEO M5 Hosting http://www.m5hosting.com Like us on Facebook for updates and photos: https://www.facebook.com/m5hosting ************************************************************
participants (12)
-
Andrew D. Dibble -
Chris Adams -
Dave Ellis -
Jay Hennigan -
Lane Powers -
Michael Hare -
Michael J McCafferty -
ML -
PC -
Randy Carpenter -
Simon Lockhart -
Tim Jackson