FBI Prepares to Shut Down DNSChanger Temporary Servers, Infections Remain

Thousands of computers still infected with the DNSChanger Trojan will not be able to access the Internet after the FBI shuts down its temporary servers March 8.

Some of the major organizations still have not removed the DNSChanger Trojan from infected computers, despite the fact that the botnet's command-and-control infrastructure has been under the Federal Bureau of Investigation's control for the past few months.

The primary function of the DNSChanger malware family is to replace the Domain Name System servers defined on the victim's computer with rogue ones operated by the criminals. DNS translates domain names into the numeric IP addresses and lets users access Websites and work online without having to know each specific computer's address. Windows and Mac OS X users are both vulnerable to this Trojan.

All user activity from infected machines was directed to rogue DNS servers, which sent users to malicious sites instead of to sites they were really trying to reach. The FBI said the criminals in charge of the operation were making money from referral fees from affiliate programs and fake antivirus software sales. DNS Changer also prevents machines from getting security updates for all software programs running.

The FBI took over the botnet's command-and-control (C&C) servers in November as part of Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate servers and published instructions on how system administrators could detect and disinfect the malware-ridden computers. The FBI believes as many as 4 million machines had been hijacked by the malware at the height of the criminal campaign. The FBI has arrested six Estonian nationals.

Half of Fortune 500 companies and 27 out of 55 government entities still have at least one computer or router still infected with DNSChanger malware in their network, according to a study by Internet Identity released Feb. 2. The report data was collected from IID's ActiveKnowledge Signals systems as well as from other data-collection systems.

That translates to about 450,000 computers still actively infected, according to the DNS Changer Working Group.

This is bad news for those infected organizations as the FBI will have to take down the servers they put up to replace the rogue ones on March 8. The court order that allowed Operation Ghost Click allowed the FBI to run the legitimate servers only for 120 days. If the IT teams don't clean up those computers immediately, come March 8, those computers and routers will be unable to get on the Web, send emails or do anything online.

Despite the shutdown of the botnet infrastructure, the malware on infected machines had still been redirecting user queries to the IP addresses that used to belong to the rogue servers. The FBI's temporary servers had just been routing them back to proper sites. After the servers are shut down, the malware will be trying to reach servers that are no longer available.

The DNSChanger Working Group is considering requesting a court order to extend the deadline beyond March 8. There's no guarantee, however, that organizations would take advantage of that extension to finally clean up their machines. The Conficker worm is still infecting millions of machines, even though the Conficker Working Group has been actively cleaning up after the worm since 2009.

While the shutdown may be a "bit of a shock" to the victims, it would ultimately be a good thing, Chester Wisniewski, senior security advisor at Sophos Canada, wrote on the Naked Security blog. "You can't survive cancer by not getting tested. Keeping your machines infected so you can surf is not likely the best strategy," Wisniewski said.

There are several services available to help organization check and remove the malware. Qualys has added the capability to detect the malware to its free BrowserCheck tool. The DNSChanger Working Group offers detailed instructions for detecting and disinfecting computers on its Website. Avira offers the Avira DNS Repair Tool to fix DNS settings after removing the malware with an antivirus program.

"It isn't the job of the FBI or anyone else to coddle those who haven't taken the steps to ensure their own safety," Wisniewski said.