Feds request DNS Changer extension to keep 400K users online
Ask judge to keep substitute servers working until July 9 to give victims more time to disinfect computers
Computerworld - Officials with the U.S. government have asked a New York judge to extend an impending deadline that could sever ties to the Internet for hundreds of thousands of users infected with the "DNS Changer" malware.
DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide -- a quarter of them in the U.S. alone -- was the target of a major takedown last November organized by the U.S. Department of Justice.
The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.
As part of "Operation Ghost Click," the FBI seized more than 100 servers hosted at U.S. data centers. To replace those servers -- and allow infected computers to use the Internet -- a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.
Without that move, DNS Changer-infected systems would have been immediately cut off from the Internet.
Last week, authorities filed a request with a New York federal court asking that the replacement servers operate until July 9.
Previously, U.S. District Court Judge William Pauley had said the ISC must pull the plug on the stand-in servers on March 8.
That was thought sufficient time for consumers, enterprises and Internet service providers (ISPs) to scrub systems of the malware and restore valid DNS settings.
"Extending the operation of the Replacement DNS Servers will provide additional time for victims to remove the malware from their computers, thereby enabling them to reach websites without relying on the Replacement DNS Servers," the government's request read.
According to the extension request, the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines.
Both the office of the U.S. Attorney for the Southern District of New York -- the jurisdiction prosecuting the case -- and the FBI have fielded calls from victims saying that they need more time to clean up their computers before the replacement DNS servers are shut down.
"In a communication dated January 27, 2012, a representative of one ISP estimated that approximately 50,000 of its customers are infected with the malware," the government said. "According to [that] ISP, absent continued operation of the Replacement DNS Servers, its customers are at risk of being unable to access the Internet."
The FBI also needs additional time to finish notifying victims in foreign countries, the filing said.
Earlier this month, Tacoma, Wash.-based Internet Identity (IID) reported that DNS Changer remained a potent threat months after the takedown. IID claimed that half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbored one or more computers infected with DNS Changer, and so would be unable to access the Internet when the substitute servers were switched off.
Users who suspect that their computer is infected with DNS Changer can follow the detection and disinfection steps posted on the DNS Changer Working Group's website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Cybercrime and Hacking White Papers | Webcasts