nanog mailing list archives

Re: US DOJ victim letter

From: "Andrew D. Dibble" <adibble () quantcast com>
Date: Thu, 19 Jan 2012 13:15:28 -0800

Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP.  ICANN (IIRC) 
replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone 
who is still talking to that server.

FBI seems to have a list of netblocks hosting rogue DNS servers here:
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware.

Drew


On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote:

The 3rd email they sent:

This email is intended to provide clarification on a previous email
sent to you. You will be receiving a letter by U.S. Postal Service in
the coming days.  In the meantime, please visit the link below which
provides more details on the investigation and identifying you as a
possible victim:

www.fbi.gov/news/stories/2011/november/malware_110911

--
Tim

Current thread:

US DOJ victim letter Jay Hennigan (Jan 19)
- Re: US DOJ victim letter Michael Hare (Jan 19)
  - Re: US DOJ victim letter Dave Ellis (Jan 19)
  - Re: US DOJ victim letter ML (Jan 19)
  - Re: US DOJ victim letter Randy Carpenter (Jan 19)
- Re: US DOJ victim letter Tim Jackson (Jan 19)
  - Re: US DOJ victim letter Andrew D. Dibble (Jan 19)
    - Re: US DOJ victim letter Chris Adams (Jan 19)
    - Re: US DOJ victim letter Lane Powers (Jan 19)
    - Re: US DOJ victim letter PC (Jan 19)
    - Re: US DOJ victim letter Simon Lockhart (Jan 19)
- Message not available
  - Re: US DOJ victim letter Jay Hennigan (Jan 19)
    - Re: US DOJ victim letter Alan Clegg (Jan 19)
    - Re: US DOJ victim letter Chris Adams (Jan 19)
    - Re: US DOJ victim letter Carlos Alcantar (Jan 19)
    - Re: US DOJ victim letter Todd Lyons (Jan 19)
    - Re: US DOJ victim letter Ryan Gelobter (Jan 19)

(Thread continues...)