Thousands of computers still infected with the DNSChanger Trojan will not be able to access the Internet after the FBI shuts down its temporary servers March 8.
Some of the
major organizations still have not removed the DNSChanger Trojan from infected
computers, despite the fact that the botnet's command-and-control
infrastructure has been under the Federal Bureau of Investigation's control for
the past few months.
function of the DNSChanger malware family is to replace the Domain Name System
servers defined on the victim's computer with rogue ones operated by the
criminals. DNS translates domain names into the numeric IP addresses and lets
users access Websites and work online without having to know each specific
computer's address. Windows and Mac OS X users are both vulnerable to this
All user activity
from infected machines was directed to rogue DNS servers, which sent users to
malicious sites instead of to sites they were really trying to reach. The FBI
said the criminals in charge of the operation were making money from referral
fees from affiliate programs and fake antivirus software sales. DNS Changer
also prevents machines from getting security updates for all software programs
The FBI took
over the botnet's command-and-control (C&C) servers in November as part of
Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate
servers and published instructions on how system administrators could detect
and disinfect the malware-ridden computers. The FBI believes as many as 4
million machines had been hijacked by the malware at the height of the criminal
campaign. The FBI has arrested six Estonian nationals.
Fortune 500 companies and 27 out of 55 government entities still have at least
one computer or router still infected with DNSChanger malware in their network,
according to a study by Internet Identity released Feb. 2. The report data was
collected from IID's ActiveKnowledge Signals systems as well as from other
translates to about 450,000 computers still actively infected, according to the
DNS Changer Working Group.
This is bad
news for those infected organizations as the FBI will have to take down the
servers they put up to replace the rogue ones on March 8. The court order that
allowed Operation Ghost Click allowed the FBI to run the legitimate servers
only for 120 days. If the IT teams don't clean up those computers immediately,
come March 8, those computers and routers will be unable to get on the Web,
send emails or do anything online.
shutdown of the botnet infrastructure, the malware on infected machines had
still been redirecting user queries to the IP addresses that used to belong to
the rogue servers. The FBI's temporary servers had just been routing them back
to proper sites. After the servers are shut down, the malware will be trying to
reach servers that are no longer available.
Working Group is considering requesting a court order to extend the deadline beyond
March 8. There's no guarantee, however, that organizations would take advantage
of that extension to finally clean up their machines. The Conficker worm is
still infecting millions of machines, even though the Conficker Working Group
has been actively cleaning up after the worm since 2009.
shutdown may be a "bit of a shock" to the victims, it would
ultimately be a good thing, Chester Wisniewski, senior security advisor at
Sophos Canada, wrote on the Naked Security
blog. "You can't survive
cancer by not getting tested. Keeping your machines infected so you can surf is
not likely the best strategy," Wisniewski said.
several services available to help organization check and remove the malware.
Qualys has added the capability to detect the malware to its free BrowserCheck
tool. The DNSChanger
offers detailed instructions for detecting and
disinfecting computers on its Website. Avira offers the Avira DNS Repair Tool
to fix DNS settings after removing the malware with an antivirus program.
the job of the FBI or anyone else to coddle those who haven't taken the steps
to ensure their own safety," Wisniewski said.