On July 9, the FBI will shutdown the temporary servers that enable systems infected by the DNSChanger malware to access the Web. For most, the shutdown will mean nothing; however that isn’t the case for 60 companies within the Fortune 500.
According to IID, 12% of the Fortune 500 and 4% of the major U.S. government agencies will have some computers that go dark on July 9, because they still haven’t cleaned their systems and removed the DNSChanger infection. The chances that a large number of systems within any of the Fortune 500 are infected are not likely, though IID's numbers do mean that infection is showing somewhere in the organization.
Since it arrived to the Web in 2006, millions of systems were hit by DNSChanger. Fast-forward six years, and while six Estonians were arrested for running DNSChanger, despite the best efforts of the FBI, security community, and software vendors, more than 500,000 systems are still infected. Granted, this is a huge drop compared to the 4-6 million from years previous, but it is still a significant number.
The latest data from the DNSChanger Working Group shows that 303,867 IP addresses are infected. Of those, nearly 70,000 of them are in the U.S. Back in Feburary of this year, IIDs numbers showed that approximately half of the Forune 500 and Government organizations were infected, showing that significant progress has been made.
In May, Google said that they would start warning users if they show signs of being infected DNSChanger. It is unknown how many warnings have been issued, or if there is a noticeable drop in infections since then, when they estimated the number of compromised hosts at 500,000.
Another issue is that while DNSChanger isn’t hijacking search results any longer, it can still activate the anti-virus aspect of its programming. When enabled, DNSChanger disables anti-virus protection on an infected system, so if a system is targeted by secondary malware, there is nothing to stop it from downloading and installing.