Feds request DNS Changer extension to keep 400K users online

Ask judge to keep substitute servers working until July 9 to give victims more time to disinfect computers

Officials with the U.S. government have asked a New York judge to extend an impending deadline that could sever ties to the Internet for hundreds of thousands of users infected with the "DNS Changer" malware.

DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide -- a quarter of them in the U.S. alone -- was the target of a major takedown last November organized by the U.S. Department of Justice.

The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.

As part of "Operation Ghost Click," the FBI seized more than 100 servers hosted at U.S. data centers. To replace those servers -- and allow infected computers to use the Internet -- a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.

Without that move, DNS Changer-infected systems would have been immediately cut off from the Internet.

Last week, authorities filed a request with a New York federal court asking that the replacement servers operate until July 9.

Previously, U.S. District Court Judge William Pauley had said the ISC must pull the plug on the stand-in servers on March 8.

That was thought sufficient time for consumers, enterprises and Internet service providers (ISPs) to scrub systems of the malware and restore valid DNS settings.

Apparently not.

"Extending the operation of the Replacement DNS Servers will provide additional time for victims to remove the malware from their computers, thereby enabling them to reach websites without relying on the Replacement DNS Servers," the government's request read.

According to the extension request, the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines.

Both the office of the U.S. Attorney for the Southern District of New York -- the jurisdiction prosecuting the case -- and the FBI have fielded calls from victims saying that they need more time to clean up their computers before the replacement DNS servers are shut down.

"In a communication dated January 27, 2012, a representative of one ISP estimated that approximately 50,000 of its customers are infected with the malware," the government said. "According to [that] ISP, absent continued operation of the Replacement DNS Servers, its customers are at risk of being unable to access the Internet."

The FBI also needs additional time to finish notifying victims in foreign countries, the filing said.

Earlier this month, Tacoma, Wash.-based Internet Identity (IID) reported that DNS Changer remained a potent threat months after the takedown. IID claimed that half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbored one or more computers infected with DNS Changer, and so would be unable to access the Internet when the substitute servers were switched off.

Users who suspect that their computer is infected with DNS Changer can follow the detection and disinfection steps posted on the DNS Changer Working Group's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies