A report finds that around half of the Fortune 500 corporations and government agencies infected with the DNS Changer malware are still infected, two months after authorities moved to shut down the massive botnet.
The report, by Krebsonsecurity.com, raises troubling questions about the security of both public- and private sector networks. The DNS Changer malware is linked to a wide range of other malicious programs, including the TDSS rootkit, rogue antivirus programs, the Zeus banking trojan and more.
Federal authorities in the U.S. descended on those believed responsible for the four year-old DNS Changer scheme in November. An indictment filed in the U.S. District Court for the Southern District of New York charged seven individuals with Internet advertising fraud in which malware was installed on four million machines in over 100 countries. That malware was used to redirect victims’ Web searches to Web sites that were being promoted by online advertising firms the scammers operated. In all, the scam is believed to have netted those involved more than $14 million in commissions from online advertisers.
As part of the take down of the criminal network, dubbed “Ghost Click”, the FBI worked with The Internet Systems Consortium (ISC) to set up clean DNS servers to handle requests from Ghost Click infected systems. It also asked Regional Internet Registries (RIRs) around the globe to lock the IP address ranges containing the IP addresses of the rogue DNS servers used by the Ghost click scammers. That gave ISPs a way to identify infected hosts, while keeping the owners of infected systems from being cut off from the Internet. The clean DNS servers were set up in New York and operated by ISC.
More than half a million of the infected systems were located in the U.S. when authorities took control of the the network. But cleaning infected systems has proven slow and difficult work. Threatpost reported in December that more than two million infected machines were still connecting into the DNS servers run by ISC in the week following the raid. Two months later, security experts that work with government agencies and private companies say they are still wrestling with systems infected by DNS Changer.
Talking to Brian Krebs of Krebsonsecurity, Rod Rasmussen of Internet Identity says that his firm has found DNS Changer in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities it works with. The malware disables anti malware software on the systems it infects, blocks operating sytsem updates, and comes bundled with a host of other malware. “You’d think people would want to get this cleaned up,” Rasumussen said.
Companies aren’t the only ones struggling with the legacy of Ghost Click. The FBI, in November, posted a notice soliciting victims of the scam to step forward. Despite initial claims from law enforcement that half a million U.S. computers were infected with the DNSChanger malware used in the scam, the FBI admitted said the agency was looking for victims to help with the prosecution of the Estonian-Russian hacking crew, and that she wasn’t sure that prosecutors had the names of any actual victims yet.”