Security Experts:

Large Organizations Make Progress Towards Eradicating DNSChanger Malware

Tacoma, Washington-based IID (Internet Identity), a provider of Internet security technology and services, today said that it has seen a dramatic decrease in Fortune 500 companies and what it considers “major” U.S. federal agencies that are infected with DNSChanger malicious malware.

In early February, SecurityWeek reported that approximately half of all Fortune 500 companies and major U.S. federal agencies were infected with DNSChanger malware.

By using its own internal data and sources from other security and Internet infrastructure organizations, IID now says at least 94 of all Fortune 500 companies and just three out of 55 major government entities had at least one computer or router that was infected with DNSChanger as of February 23, 2012.

In November 2011, the FBI and international authorities announced the disruption a massive cybercrime scheme that infected more than four million computers with DNSChanger Malware, malicious software that actively changes an infected system's DNS resolution settings to use rogue servers that can redirect traffic to malicious servers and attempt to steal personal information and generate illegitimate ad revenue.

The sting, dubbed “Operation Ghost Click”, took down the cybercriminal operation which reportedly generated approximately $14 million for the cybercriminals over several years, and culminated with the arrest of six Estonian nationals.

In addition to the arrests, the rogue DNS servers operated by the cybercriminals were seized and replaced with legitimate servers for 120 days, at which time if the temporary servers were shut down, users infected with the DNSMalware would for the most part, be unable to use the Internet.

That looming deadline, originally set for March 8, has been extended by a Federal judge to July 9, 2012. But come July 9, computers and routers still infected with the malware will have no servers directing their DNS requests, and the Internet may literally go dark for people using those systems. (For a detailed background and analysis see the column, “The Day The Internet Will Break for Millions”.)

Enterprises and government agencies typically are able to control and access to their users’ machines, making it easier to clean them up, IID says. “So if this extension doesn’t help ISPs get ahead of this issue, it will make July 9th a very busy day at many ISP help desks around the country and the world.”

“If places of business and government organizations can’t clean up their systems, what is being done to remediate residential systems?,” Kaspserky Lab’s Kurt Baumgartner asks.

Some ISPs including Comcast, have worked to notify customers about their infection through Splash pages on their Web browser and email notifications, but many more are still at risk.

In a blog post, Baumgartner highlights some ways that users can clean systems infected with the DNSChanger, including TDSSKiller, a free utility from Kaspersky that helps remove nasty malware and rootkits.

DNSChanger Malware

Organizations looking to see if DNSChanger is on their network can take advantage of free information from one of several organizations contributing to the effort to clean up infected machines. An list of organizations you can contact to get this information can be found at the DNS Changer Working Group website here.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.