With DNSChanger Shutdown on July 9, Concerns Remain

Security firms are preparing for the shutdown of a server that has provided DNS connectivity to PCs infected with the DNSChanger malware, including computers in about 12 percent of the Fortune 500.

By: Robert Lemos

In March, a judge agreed to extend the U.S. Department of Justice's control over the domain-name infrastructure that allowed a widespread piece of malware, DNSChanger, to serve up ads that profited the criminal group behind the program.

On July 9, the company that runs the DNS service on behalf of the U.S. government will shut it down, and hundreds of thousands of users may lose the ability to connect to common Internet sites. The shutdown of the DNSChanger infrastructure ends a controversial period where a critical piece of botnet infrastructure was under the control of a legitimate group.

"The FBI has been in control of these servers for a while, and they are just going to go dark," said Dave Marcus, director of advanced research and threat intelligence for McAfee, a subsidiary of Intel. "You have a lot of people out there that are still infected with DNSChanger, who will need to go out and get their systems cleaned up."

When it infects a computer, DNSChanger redirects domain-lookup requests to a criminal-owned server that can send victims to fraudulent Websites or legitimate sites from which the criminals collect advertising fees. The malware infected an estimated four million computers and netted its criminals operators more than $14 million. Following a click on a search link, the malware could hijack a victim's Web browser, known as clickjacking, or replace the advertisements on legitimate Websites with fraudulent ads.

About 12 percent of the Fortune 500 and a single major government organization continue to be affected by DNSChanger, network and brand protection firm Internet Identity stated last week. Computers at some 277,000 Internet addresses are currently infected by the software, according to security firm Damballa. The actual number of infected systems is likely higher, Gunter Ollmann, vice president of research at Damballa, said in a statement.

"Law enforcement has been working with the ISPs, and they've been able to make the translation from IP addresses seen at the server to specific ISP subscribers," said Ollmann. "There are, however, complexities in households that have multiple computers compromised and sit behind the same subscriber modem or connection."

The FBI announced the takedown of the DNSChanger botnet in November 2011, along with the arrest of six Estonian nationals and a Russian citizen for operating the large botnet. At the time, they estimated that four million systems had been infected in 100 countries, including half of a million computers in the United States.

While the actual damage done by DNSChanger is small compared to some more aggressive malware, the techniques used by law enforcement set a precedent, said Ollmann.

"In the grand scale of Internet crime and the monetization of victims, DNSChanger is not a serious threat, but it is an interesting footnote in the success of law enforcement actively taking down a large botnet," said Ollmann.

A number of companies and organizations have released tools and sites for helping potential victims test their system for signs of DNSChanger. McAfee offers a free tool as does the DNSChanger Working Group.