Judge extends DNS Changer deadline as malware cleanup progresses
Percentage of infected Fortune 500 firms and major government agencies down dramatically since early 2012
Computerworld - A federal judge yesterday extended an operation that will keep hundreds of thousands of users infected with the "DNS Changer" malware connected to the Internet until they can scrub their machines.
Meanwhile, Tacoma, Wash.-based Internet Identity (IID), which has been monitoring the cleanup efforts, said today that it had seen a "dramatic" decrease in the number of computers infected with DNS Changer.
DNS Changer, which at its peak infected more than four million Windows PCs and Macs worldwide, was the target of a major takedown led by the U.S. Department of Justice last November.
The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.
As part of the "Operation Ghost Click" takedown and accompanying arrests of six Estonian men, the FBI seized more than 100 command-and-control (C&C) servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.
Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.
Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 -- this Thursday -- to July 9, 2012.
Two weeks ago, authorities argued that victims needed more time to wipe DNS Changer from computers before their connections were cut off.
Although cleanup efforts have made headway, the extension was the right move, said Rod Rasmussen, president and CTO at IID.
"There has been significant progress within the gov[ernment] and enterprise, where it's easier to clean things up, but ISPs have been slower, in part because some of them are still trying to figure out how best to handle the situation," said Rasmussen.
"[DNS Changer] has morphed several times, so there's not one signature that we can use," Rasmussen noted. "And it's very complex and hard to eliminate. You really need a pro to get in there to root it out. That's not what ISPs typically do."
IID's data backs up Rasmussen's assertion that DNS Changer cleanup has made progress: A check by the company on Feb. 23 found 94 of Fortune 500 companies still infected, and three out of 55 major government agencies.
Those numbers -- representing 19% of Fortune 500 companies and 5% of the agencies -- were significantly down from the 50% of each IID said harbored at least one infected computer or network router around the beginning of the year.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts