Feds request DNS Changer extension to keep 400K users online
Ask judge to keep substitute servers working until July 9 to give victims more time to disinfect computers
Computerworld - Officials with the U.S. government have asked a New York judge to extend an impending deadline that could sever ties to the Internet for hundreds of thousands of users infected with the "DNS Changer" malware.
DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide -- a quarter of them in the U.S. alone -- was the target of a major takedown last November organized by the U.S. Department of Justice.
The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.
As part of "Operation Ghost Click," the FBI seized more than 100 servers hosted at U.S. data centers. To replace those servers -- and allow infected computers to use the Internet -- a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.
Without that move, DNS Changer-infected systems would have been immediately cut off from the Internet.
Last week, authorities filed a request with a New York federal court asking that the replacement servers operate until July 9.
Previously, U.S. District Court Judge William Pauley had said the ISC must pull the plug on the stand-in servers on March 8.
That was thought sufficient time for consumers, enterprises and Internet service providers (ISPs) to scrub systems of the malware and restore valid DNS settings.
"Extending the operation of the Replacement DNS Servers will provide additional time for victims to remove the malware from their computers, thereby enabling them to reach websites without relying on the Replacement DNS Servers," the government's request read.
According to the extension request, the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines.
Both the office of the U.S. Attorney for the Southern District of New York -- the jurisdiction prosecuting the case -- and the FBI have fielded calls from victims saying that they need more time to clean up their computers before the replacement DNS servers are shut down.
"In a communication dated January 27, 2012, a representative of one ISP estimated that approximately 50,000 of its customers are infected with the malware," the government said. "According to [that] ISP, absent continued operation of the Replacement DNS Servers, its customers are at risk of being unable to access the Internet."
The FBI also needs additional time to finish notifying victims in foreign countries, the filing said.
Earlier this month, Tacoma, Wash.-based Internet Identity (IID) reported that DNS Changer remained a potent threat months after the takedown. IID claimed that half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbored one or more computers infected with DNS Changer, and so would be unable to access the Internet when the substitute servers were switched off.
Users who suspect that their computer is infected with DNS Changer can follow the detection and disinfection steps posted on the DNS Changer Working Group's website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts