Former DNSChanger addresses out in the wild again

European IP address authority RIPE NCC has reallocated two IP address blocks that were previously used by the DNSChanger malware. The FBI and the Internet Systems Consortium (ISC) had control over the addresses from last November through to mid-July of this year, in accordance with a US court order, as there was concern about a total blackout for private users' manipulated computers. It's much too soon for reallocation, say some members of the DNS Changer Working Group, which has been working with the FBI. Former ISC CEO Barry Greene is at the forefront of the protest. RIPE NCC, on the other hand, believes that the reallocation is a completely normal procedure.

Administrators in the North American Network Operator Group (NANOG) worry that millions of the computers affected by DNSChanger could still be pointing to those new addresses, which would also be a problem for the new owners. Neither network provider Inevo in Romania (former DNSChanger block 93.188.160.0 to 93.188.167.255) nor Aurimas Rapalis in Lithuania (former DNSChanger block 85.255.112.0 to 85.255.127.255) are using the addresses for servers that can be accessed by outside parties at the moment. The companies have not yet said whether they will keep the addresses in their own "quarantine" or how they would handle a potential flood of redirected DNS queries; requests from The H's associates at heise Security for a statement have so far been unanswered.

RIPE NCC managing director Axel Pawlik says that there was no warning of the reallocation because such a step is not a part of the standard address allocation process. After RIPE NCC's compulsory de-registration of the DNSChanger blocks and a six-week waiting period, they were allocated as usual. The blocks came out of quarantine and were automatically pulled out and allocated, added Pawlik. RIPE members have not yet made any complaints or comments about the issue.

There's also a political component: RIPE NCC is due to appear in court against the Netherlands in early November to determine the legality of last year's surprise move by police in Amsterdam forcing the DNSChanger IP address blocks to be frozen. At the request of the FBI, the Dutch criminal prosecutors required RIPE NCC to block all changes related to the addresses.

RIPE NCC's lawyers gave in at first but later changed their minds, declaring the police order null and void without a ruling from a Dutch court. Only then were de-registration and reallocation possible. Observers in Europe see the upcoming case as a sign of how Europeans will handle decisions from the other side of the Atlantic in the future, especially if a simple recall of routing certificates can have a long-term negative impact on routing for a company on trial.

(Monika Ermert / crve)