Some of the
major organizations still have not removed the DNSChanger Trojan from infected
computers, despite the fact that the botnet's command-and-control
infrastructure has been under the Federal Bureau of Investigation's control for
the past few months.
The primary
function of the DNSChanger malware family is to replace the Domain Name System
servers defined on the victim's computer with rogue ones operated by the
criminals. DNS translates domain names into the numeric IP addresses and lets
users access Websites and work online without having to know each specific
computer's address. Windows and Mac OS X users are both vulnerable to this
Trojan.
All user activity
from infected machines was directed to rogue DNS servers, which sent users to
malicious sites instead of to sites they were really trying to reach. The FBI
said the criminals in charge of the operation were making money from referral
fees from affiliate programs and fake antivirus software sales. DNS Changer
also prevents machines from getting security updates for all software programs
running.
The FBI took
over the botnet's command-and-control (C&C) servers in November as part of
Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate
servers and published instructions on how system administrators could detect
and disinfect the malware-ridden computers. The FBI believes as many as 4
million machines had been hijacked by the malware at the height of the criminal
campaign. The FBI has arrested six Estonian nationals.
Half of
Fortune 500 companies and 27 out of 55 government entities still have at least
one computer or router still infected with DNSChanger malware in their network,
according to a study by Internet Identity released Feb. 2. The report data was
collected from IID's ActiveKnowledge Signals systems as well as from other
data-collection systems.
That
translates to about 450,000 computers still actively infected, according to the
DNS Changer Working Group.
This is bad
news for those infected organizations as the FBI will have to take down the
servers they put up to replace the rogue ones on March 8. The court order that
allowed Operation Ghost Click allowed the FBI to run the legitimate servers
only for 120 days. If the IT teams don't clean up those computers immediately,
come March 8, those computers and routers will be unable to get on the Web,
send emails or do anything online.
Despite the
shutdown of the botnet infrastructure, the malware on infected machines had
still been redirecting user queries to the IP addresses that used to belong to
the rogue servers. The FBI's temporary servers had just been routing them back
to proper sites. After the servers are shut down, the malware will be trying to
reach servers that are no longer available.
The DNSChanger
Working Group is considering requesting a court order to extend the deadline beyond
March 8. There's no guarantee, however, that organizations would take advantage
of that extension to finally clean up their machines. The Conficker worm is
still infecting millions of machines, even though the Conficker Working Group
has been actively cleaning up after the worm since 2009.
While the
shutdown may be a "bit of a shock" to the victims, it would
ultimately be a good thing, Chester Wisniewski, senior security advisor at
Sophos Canada, wrote on the Naked Security blog. "You can't survive
cancer by not getting tested. Keeping your machines infected so you can surf is
not likely the best strategy," Wisniewski said.
There are
several services available to help organization check and remove the malware.
Qualys has added the capability to detect the malware to its free BrowserCheck
tool. The DNSChanger
Working Group offers detailed instructions for detecting and
disinfecting computers on its Website. Avira offers the Avira DNS Repair Tool
to fix DNS settings after removing the malware with an antivirus program.
"It isn't
the job of the FBI or anyone else to coddle those who haven't taken the steps
to ensure their own safety," Wisniewski said.
IT Security & Network Security News & Reviews News & Reviews 
