As deadline nears, federal agencies mostly free of DNSChanger

SAN FRANCISCO — Although millions of computers around the world could still contain the DNSChanger malware used by an Internet fraud ring, government agencies and large enterprises appear to have done a good job of cleaning up the infections, said Rod Rasmussen, a member of the DNSChanger Working Group.

Rasmussen, who also is president and CTO of the security firm Internet Identity, said early in February that, based on information gleaned from traffic to rogue DNS servers, it appeared that half of all Fortune 500 companies and 27 of 55 major federal agencies were infected. He reported at the RSA Conference that, as of Feb. 23, those numbers had dropped to just three agencies and 94 companies. “The story there is pretty good,” he said.


Related coverage:

Feds try to buy more time for DNSChanger cleanup

Why computers infected with DNSChanger could lose Internet access



The progress is important, because the non-profit Internet Systems Consortium has been operating the name servers under a court order on behalf of the Justice Department since November to ensure that infected computers whose DNS requests are being directed to the rogue servers are not cut off from the Internet. The original court order expires March 8.

But there still is a large number of computers that need to be cleaned up, and it is not known how many computers are infected within each agency or company. “It’s hard to know exactly how many machines,” Rasmussen said. “It’s probably millions.”

But from traffic volumes, the number appears small at government agencies. “We’re pretty sure it’s only a few computers at the most in each agency,” he said.

Although the potential for infected computers to be cut off from the Internet if DNS requests are not resolved has gotten most of the attention in the DNSChanger saga, Rasmussen said the larger concern is that the infected computers remain vulnerable to other exploits because the malicious code also can block antivirus and other security updates.

Another concern, although less immediate and less likely, is that the IP addresses of the malicious DNS servers could be reused by criminals. Some versions of Windows operating systems cache addresses of name servers that have been used. If the IP addresses seized by the FBI are released for reuse it is possible that other rogue servers could be set up at those addresses in an attempt to take advantage of traffic directed from these caches even after the malware has been removed.

Removing DNSChanger from infected home computers could be a more complex job than cleaning up those inside an enterprise. The first challenge is identifying infected computers. Internet service providers can help with this by watching for traffic to the rouge IP addresses.

“A lot of them are stepping up,” Rasmussen said, because they do not want to be swamped with help desk calls when connectivity is lost. But liability concerns about traffic monitoring keep some ISPs from taking an active part.

The DNSChanger Working Group offers a step-by-step process for determining what IP address your DNS queries are being sent to, which can help determine if you are infected by the malware. There also are automated checks such as the “eye chart” at dns-ok.us.

Removing the malware could be more difficult than finding it, Rasmussen said. “It is so hard to clean up. It should be done by professionals.”

The challenge could drive some owners to an upgrade of their home PC, he acknowledged. “It’s a Best Buy moment.”

Reader Comments

Thu, Mar 1, 2012 kenedy123

Fortune 500 companies and 27 of 55 major federal agencies were infected.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above