Connect with us

Hi, what are you looking for?


Malware & Threats

Large Organizations Make Progress Towards Eradicating DNSChanger Malware

Tacoma, Washington-based IID (Internet Identity), a provider of Internet security technology and services, today said that it has seen a dramatic decrease in Fortune 500 companies and what it considers “major” U.S. federal agencies that are infected with DNSChanger malicious malware.

Tacoma, Washington-based IID (Internet Identity), a provider of Internet security technology and services, today said that it has seen a dramatic decrease in Fortune 500 companies and what it considers “major” U.S. federal agencies that are infected with DNSChanger malicious malware.

In early February, SecurityWeek reported that approximately half of all Fortune 500 companies and major U.S. federal agencies were infected with DNSChanger malware.

By using its own internal data and sources from other security and Internet infrastructure organizations, IID now says at least 94 of all Fortune 500 companies and just three out of 55 major government entities had at least one computer or router that was infected with DNSChanger as of February 23, 2012.

In November 2011, the FBI and international authorities announced the disruption a massive cybercrime scheme that infected more than four million computers with DNSChanger Malware, malicious software that actively changes an infected system’s DNS resolution settings to use rogue servers that can redirect traffic to malicious servers and attempt to steal personal information and generate illegitimate ad revenue.

The sting, dubbed “Operation Ghost Click”, took down the cybercriminal operation which reportedly generated approximately $14 million for the cybercriminals over several years, and culminated with the arrest of six Estonian nationals.

In addition to the arrests, the rogue DNS servers operated by the cybercriminals were seized and replaced with legitimate servers for 120 days, at which time if the temporary servers were shut down, users infected with the DNSMalware would for the most part, be unable to use the Internet.

That looming deadline, originally set for March 8, has been extended by a Federal judge to July 9, 2012. But come July 9, computers and routers still infected with the malware will have no servers directing their DNS requests, and the Internet may literally go dark for people using those systems. (For a detailed background and analysis see the column, “The Day The Internet Will Break for Millions”.)

Advertisement. Scroll to continue reading.

Enterprises and government agencies typically are able to control and access to their users’ machines, making it easier to clean them up, IID says. “So if this extension doesn’t help ISPs get ahead of this issue, it will make July 9th a very busy day at many ISP help desks around the country and the world.”

“If places of business and government organizations can’t clean up their systems, what is being done to remediate residential systems?,” Kaspserky Lab’s Kurt Baumgartner asks.

Some ISPs including Comcast, have worked to notify customers about their infection through Splash pages on their Web browser and email notifications, but many more are still at risk.

In a blog post, Baumgartner highlights some ways that users can clean systems infected with the DNSChanger, including TDSSKiller, a free utility from Kaspersky that helps remove nasty malware and rootkits.

DNSChanger Malware

Organizations looking to see if DNSChanger is on their network can take advantage of free information from one of several organizations contributing to the effort to clean up infected machines. An list of organizations you can contact to get this information can be found at the DNS Changer Working Group website here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...