Skip Links

Judge extends DNS Changer deadline as malware cleanup progresses

Percentage of infected Fortune 500 firms and major government agencies down dramatically since early 2012

By Gregg Keizer, Computerworld
March 06, 2012 03:30 PM ET

Computerworld - A federal judge yesterday extended an operation that will keep hundreds of thousands of users infected with the "DNS Changer" malware connected to the Internet until they can scrub their machines.

Authorities take out $14M DNS malware operation

Meanwhile, Tacoma, Wash.-based Internet Identity (IID), which has been monitoring the cleanup efforts, said today that it had seen a "dramatic" decrease in the number of computers infected with DNS Changer.

DNS Changer, which at its peak infected more than four million Windows PCs and Macs worldwide, was the target of a major takedown led by the U.S. Department of Justice last November.

The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.

As part of the "Operation Ghost Click" takedown and accompanying arrests of six Estonian men, the FBI seized more than 100 command-and-control (C&C) servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 -- this Thursday -- to July 9, 2012.

Two weeks ago, authorities argued that victims needed more time to wipe DNS Changer from computers before their connections were cut off.

Although cleanup efforts have made headway, the extension was the right move, said Rod Rasmussen, president and CTO at IID.

"There has been significant progress within the gov[ernment] and enterprise, where it's easier to clean things up, but ISPs have been slower, in part because some of them are still trying to figure out how best to handle the situation," said Rasmussen.

"[DNS Changer] has morphed several times, so there's not one signature that we can use," Rasmussen noted. "And it's very complex and hard to eliminate. You really need a pro to get in there to root it out. That's not what ISPs typically do."

IID's data backs up Rasmussen's assertion that DNS Changer cleanup has made progress: A check by the company on Feb. 23 found 94 of Fortune 500 companies still infected, and three out of 55 major government agencies.

Those numbers -- representing 19% of Fortune 500 companies and 5% of the agencies -- were significantly down from the 50% of each IID said harbored at least one infected computer or network router around the beginning of the year.

In her Monday order extending the alternate DNS servers' operation, Cote also instructed the ISC to file status reports by May 22 and July 23 that "include an estimate of the number of victims identified ... and other such information as ordered by the Court."

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News