Pierluigi Paganini
March 06, 2012
Many people are asking me for updates on the case DNSChanger which held its breath many network users. During the last months the news circulating on internet on the planned blackout of Internet for million of users on 8 March decided by FBI to deal with cyber threats. The action must be done to stop the diffusion of DNSChanger Trojan, a malware that has infected million of computers all over the world in more than 100 countries. The story begins last year when in Estonia was arrested a group of person accused of having developed the dreaded trojan that seems to be able to spread with surprising ease.
Under a court order, expiring March 8, the Internet Systems Corporation is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.
What does the DNS Changer Malware do?
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet. Once discovered the cyber crime the FBI to give businesses and private individuals affected by DNSChanger time to cleanse infected systems has replaced the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. Replacing the command server the feds have prevented the worm propagation. The FBI took over the botnet’s command-and-control (C&C) servers in November as part of Operation Ghost Click.
To counter the threat the Federal Bureau of Investigation has initially planned to shutdown several DNS (domain name servers) on March 8, with the undesirable side effect of blocking millions from using the Internet. DNSChanger is able to change inside the infected system the DNS settings hijacking web traffic to unwanted and infected sites. Despite the calls provided by the press and the major law enforcement, the situation is far from reassuring, because too many PCs are being infected and potentially damaged by the planned blackout. More than 3 million PCs worldwide were still infected with DNSChanger that is the main reason that have prompted authorities to extend the period before the planned shutdown of the surrogate servers.
Last week a federal judge has postponed, with an order, the blackout of the surrogate servers of 120 days to give companies, businesses and governments more time to arrange the response to the threat.
To meet the threat was also set up a special task force to provide support for private companies and were given the necessary instructions to the removal of malware on the site DCWG.org
A copy of the court order extending the deadline until July 9, 2012 is available on the following link.
Pierluigi Paganini
References
http://krebsonsecurity.com/2012/03/court-4-more-months-for-dnschanger-infected-pcs/
