A Federal Judge acceded to a request from the U.S. Attorney’s Office to extend the operation of Domain Name System servers that are the last lifeline to the Internet for hundreds of thousands of machines infected by the DNSChanger malware, following a bust of the group controlling the infected machines in November.
A protective order issued on March 5 by Judge William Pauley III, the government agreed to delay forfeiture of servers used by a criminal group dubbed “Ghost Click.” Those servers were being used by the group to direct millions of infected machines around the world to Web sites of the attackers’ choosing. The redirected traffic was then used to generate advertising revenue for companies linked to the Ghost Click crew.
When the bust of the Ghost Click crew initially occurred, the government contracted with the Internet Systems Consortium (ISC) to manage clean DNS servers to manage traffic from the infected machines until they could be disinfected. However, the job of cleaning more than 4 million infected computers has gone more slowly than anticipated. The government initially slated the clean DNS servers for decommissioning on March 8. However, in February the U.S. Attorney for the Southern District of New York submitted an application seeking extension of the original order authorizing the operation of the servers for 120 days.
Writing on Tuesday, U.S. District Court Judge Denise Cote said she found “good cause” to support the extension of the original order until July 9, 2012. Data from the DNS Changer Working Group, an ad hoc group that monitors the DNS servers run by ISC, suggests that infections are on the decline, with around 400,000 systems still infected as of February.
The protective order issued on Monday leaves ISC in charge of the DNS servers and the effort to disinfect the remaining Ghost Click systems. ISC is required to report back to the court in May on its progress in cleaning up after DNSChanger. In the meantime, the FBI has issued a public call for those who were victims of DNSChanger to step forward and help with the government’s case against those behind the GhostClick network.