Feds try to buy more time for DNSChanger cleanup
- By Kevin McCaney
- Feb 23, 2012
U.S. officials looking to prevent computers infected with DNSChanger from effectively being cut off from the Internet March 8 have asked a federal court for permission to keep operating the servers involved until July.
In a petition filed in federal court for the Southern District of New York, the Justice Department, the U.S. Attorney for New York’s Southern District and NASA asked the court to extend the March 8 deadline for shutting down the servers in order to give organizations and individuals more time to remove the malware.
DNSChanger was used by a click-jacking ring the FBI took down in November 2011 with the arrest of six Estonians. At its peak, it infected up to 4 million Windows and Mac computers in 100 countries.
Why computers infected with DNSChanger could lose Internet access
Feds bust clickjacking ring, but could the crime have been prevented?
The malware directed Domain Name System queries to the ring’s DNS servers, which then sent traffic to malicious sites. After the arrests, the FBI seized more than 100 servers in the United States used in the ring and obtained a court order to operate replacement servers legitimately until March 8, so that infected computers whose requests were directed to the servers wouldn’t be cut off from the Internet, while admins and users had time to clean up their infections.
When the court order expires, the servers will be shut down, and any computers still infected with DNSChanger that have their DNS queries routed to those servers will hit a dead end, effectively being shut out of the Internet. The court petition, posted by security writer Brian Krebs, asks that the nonprofit Internet Systems Consortium be allowed to continue operating the servers until July 9.
The FBI has estimated that there were 500,000 infections in the United States, but how many remain infected isn’t clear. Security company Internet Identity has said it found evidence of at least one DNSChanger infection on half of all Fortune 500 companies and 27 major government agencies, and other security researchers have reported finding infections, but how many computers that adds up to is unclear.
According to the extension request, in January the replacement servers kept an average of 430,000 IP addresses connected to the Web worldwide, ComputerWorld reported.
But Brian Jacobs, senior product manager for Ipswitch's Network Management Division, said, “I would suspect probably the majority have been remediated.”
Regardless of how many computers are infected, the FBI and the U.S. Attorney’s office have received pleas for organizations saying they needed more time to find and remove DNSChanger infections, the ComputerWorld article reported. One Internet Service Provider said that about 50,000 of its customers were infected.
As of this writing, the federal court hadn’t ruled on the request, which was filed Feb. 17.
Meanwhile, if you’re wondering if you’re infected, the DNSChanger Working Group is offering instructions on how to find and remove the malware.
Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.