Judge extends DNS Changer deadline as malware cleanup progresses

Percentage of infected Fortune 500 firms and major government agencies down dramatically since early 2012

A federal judge yesterday extended an operation that will keep hundreds of thousands of users infected with the "DNS Changer" malware connected to the Internet until they can scrub their machines.

Meanwhile, Tacoma, Wash.-based Internet Identity (IID), which has been monitoring the cleanup efforts, said today that it had seen a "dramatic" decrease in the number of computers infected with DNS Changer.

DNS Changer, which at its peak infected more than four million Windows PCs and Macs worldwide, was the target of a major takedown led by the U.S. Department of Justice last November.

The malware hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains.

As part of the "Operation Ghost Click" takedown and accompanying arrests of six Estonian men, the FBI seized more than 100 command-and-control (C&C) servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 -- this Thursday -- to July 9, 2012.

Two weeks ago, authorities argued that victims needed more time to wipe DNS Changer from computers before their connections were cut off.

Although cleanup efforts have made headway, the extension was the right move, said Rod Rasmussen, president and CTO at IID.

"There has been significant progress within the gov[ernment] and enterprise, where it's easier to clean things up, but ISPs have been slower, in part because some of them are still trying to figure out how best to handle the situation," said Rasmussen.

"[DNS Changer] has morphed several times, so there's not one signature that we can use," Rasmussen noted. "And it's very complex and hard to eliminate. You really need a pro to get in there to root it out. That's not what ISPs typically do."

IID's data backs up Rasmussen's assertion that DNS Changer cleanup has made progress: A check by the company on Feb. 23 found 94 of Fortune 500 companies still infected, and three out of 55 major government agencies.

Those numbers -- representing 19% of Fortune 500 companies and 5% of the agencies -- were significantly down from the 50% of each IID said harbored at least one infected computer or network router around the beginning of the year.

In her Monday order extending the alternate DNS servers' operation, Cote also instructed the ISC to file status reports by May 22 and July 23 that "include an estimate of the number of victims identified ... and other such information as ordered by the Court."

Rasmussen thought it unlikely that Cote would again extend the deadline.

"I have a feeling that this will be it," he said, citing discussions with others in the DNS Changer Working Group. IID is a member of the committee advising ISPs, companies and government agencies on how to rid themselves of the malware.

But pushing out the deadline won't help everyone, said Rasmussen. "There will always be some laggards," he said. "It's really a question of how many."

Some ISPs have been reaching out to infected users individually by phone, and walking them through the eradication of DNS Changer, said Rasmussen, while others have created what he called a "walled garden" that restricts users' ability to connect to the Internet as long as the PCs and Macs remain infected.

As things now stand, most users whose computers contain DNS Changer on July 9 will lose their Internet connection.

Anyone who suspects that their machine is infected can follow the detection and disinfection steps published on the DNS Changer Working Group's website to eliminate the malware.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon