FBI Prepares to Shut Down DNSChanger Temporary Servers, Infections Remain

By CIOinsight  |  Posted 02-06-2012

Some major organizations still have not removed the DNSChanger Trojan from infected computers, despite the fact that the botnet's command-and-control infrastructure has been under the Federal Bureau of Investigation's control for the past few months.

Half of Fortune 500 companies and 27 out of 55 government entities still have at least one computer or router still infected with DNSChanger malware in their network, according to a study by Internet Identity released Feb. 2. The report data was collected from IID's ActiveKnowledge Signals systems as well as from other data-collection systems. That translates to about 450,000 computers still actively infected, according to the DNS Changer Working Group.

The primary function of the DNSChanger malware family is to replace the Domain Name System servers defined on the victim's computer with rogue ones operated by the criminals. DNS translates domain names into the numeric IP addresses and lets users access Websites and work online without having to know each specific computer's address. Windows and Mac OS X users are both vulnerable to this Trojan.

All user activity from infected machines was directed to rogue DNS servers, which sent users to malicious sites instead of to sites they were really trying to reach. The FBI said the criminals in charge of the operation were making money from referral fees from affiliate programs and fake antivirus software sales. DNS Changer also prevents machines from getting security updates for all software programs running.

The FBI took over the botnet's command-and-control (C&C) servers in November as part of Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate servers and published instructions on how system administrators could detect and disinfect the malware-ridden computers. The FBI believes as many as 4 million machines had been hijacked by the malware at the height of the criminal campaign. The FBI has arrested six Estonian nationals.

The FBI will have to take down the servers they put up to replace the rogue ones on March 8. The court order that allowed Operation Ghost Click permitted the FBI to run the legitimate servers only for 120 days. If the IT teams don't clean up those computers immediately, come March 8, those computers and routers will be unable to get on the Web, send emails or do anything online.

The DNSChanger Working Group is considering requesting a court order to extend the deadline beyond March 8. There's no guarantee, however, that organizations would take advantage of that extension to finally clean up their machines. The Conficker worm is still infecting millions of machines, even though the Conficker Working Group has been actively cleaning up after the worm since 2009.


To read the original eWeek article, click here: FBI Prepares to Shut Down DNSChanger Temporary Servers, Infections Remain