Machines Still Infected With DNSChanger Pose Dangers

No surprise, but the DNSChanger server shutdown today didnt cause significant disruption on the Net -- but the threat is not over yet, security experts say

When the FBI today shut down the temporary DNS servers keeping users infected with the DNSChanger Trojan online, only a tiny fraction of users still harbored the malware and some ISPs had established their own DNS backup servers for those stragglers.
All in all, the damage was minimal: just over 210,000 unique IP victims around the globe -- a far cry from the initial headcount of millions of victims hit by the nasty malware -- still remain infected with the malware, even after aggressive campaigns by many ISPs to alert users and offer them help to clean up their machines.
But the threat is far from over, security experts say.
Paul Vixie, chairman and founder of the Internet Security Consortium (ISC), which actually ran and managed the servers on behalf of the FBI operation, says by pulling the BandAid off slowly and keeping infected users from losing their DNS, ISPs are only masking the danger to victims. The idea is to rip it [the BandAid] off instead, he says.
Vixie says the temporary DNS provided by ISC via the FBI made sense and was successful, along with the awareness campaigns by ISPs. We could measure that infections went down 50 percent with the setup, Vixie says. But at a certain point, you reach diminishing returns. Every one of those still-infected machines is a danger to its owner and to the rest of us. Given how easily targetable they are, Im worried about the 210,000 still out there.
Other security experts worry as well. The ISPs are essentially expanding the deadline on their own, says Dan Brown, director of security research at Bit9. But thats also extending the period of infection, he says.
So is this weaning of infected users basically enabling victims and obscuring the real security lessons here? Some of the more important security lessons were pushed under the rug. One thing that happens is when you find malware, its often not the only malware on that system, so many of these machines contain other malware as well, Brown says.
And thats the case with DNSChanger, which security experts say was actually a secondary infection in many cases to the TDSS malware. The primary malware was a botnet piece of TDSS that instructed the machine to download DNSChanger, Brown says.
July 9 was the final deadline for the temporary servers keeping infected users afloat on the Internet, and some major ISPs waged proactive campaigns to alert and offer cleanup options for their customers whose machines harbored the malware. The results were impressive: Internet Identity (IID) saw a 10- 20 percent decrease in the number of infected IP addresses in the past week.
The DNSChanger Working Group today provided its final count of the remaining infected IP addresses, and plans to offer a postmortem on the initiative.
[DNSChanger botnet takedown poses unique challenges and risks that other botnet overthrows do not. See
Orphaned Bots Facing Internet Blackout
.]
The FBIs Operation Ghost Click
last year dismantled the scheme
and indicted six Estonians and one Russian allegedly involved in infecting users and redirecting their computers to phony websites in a click-fraud scam. There were initially millions of infected machines, and the malware has been around for several years -- initially
targeting home routers
.
Comcast says it received a miniscule number of calls from infected users today, and that it initially had estimated that less than one-tenth of one percent of its customers would be affected, anyway. For months, we have been emailing, mailing letters, sending in-browser notifications and even calling customers who we thought might be impacted and urged them to take action by visiting a dedicated website www.xfinity.com/dnsbot where they had two choices, a Comcast spokesman says. They could either download a free security patch we provided via our Constant Guard Security Suite on their own or, if they’re not comfortable doing that, then they can call Xfinity Signature Support and for a fee have a professional help them.
Unlike some other ISPs, Comcast did not opt to provide a backup DNS service for infected machines, he says.
Meanwhile, another factor that may have lit a fire under some complacent victims was a brownout that occurred a couple of months ago of the temporary DNS servers established by the FBI, says Rod Rasmussen, president and CEO of IID, which worked with the DNSChanger Working Group. Thats when [some] people actually paid attention, Rasmussen says.
But like any other potent malware, DNSChanger is likely to be recycled and retooled, so this wont be the last of it.
Rasmussen says one complication is that older versions of Windows actually have fallback DNS settings, so if they dont get a response from the most recent one, they tap into older ones. So they could remain online and not realize theyre infected, he says.
Johannes Ullrich of the SANS Technology Institute, said in a post today that overall, only 0.1 percent of Internet users are infected with the Trojan, so most users have nothing to worry about: In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet, he wrote.
The good news is that it was not the Armageddon that some had predicted. Its probably a good thing the ISPs helped Ma and Pa stay on the Net a little longer, Bit9s Brown says. The message about endpoint security is the real issue is the underlying malware on your system and how did it get there. But if this malware ended up in your corporate environment even though it was intended for consumers, it says something about your security posture. Those messages got lost in the fray.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Machines Still Infected With DNSChanger Pose Dangers