DNSChanger: FBI’s Internet Blackout Postponed

Tuesday, March 06, 2012

Pierluigi Paganini


(Translated from the original Italian)

DNSChanger: FBI’s Internet Blackout Postponed from 8 March to 9 July

Many people are asking me for updates on the case DNSChanger which caused many network users to hold their breath.

During the last several months, news was circulating about the planned blackout of the Internet for potentially millions of users on March 8, as had been scheduled by the FBI.

To counter the threat, the FBI had initially planned to shutdown several DNS on March 8, with the undesirable side effect of blocking millions of still infected users from the Internet.

The action must be taken in order to stop the spread of the DNSChanger Trojan, malware that has infected million of computers all over the world in more than 100 countries. The story begins last year in Estonia where a group of persons accused of having developed the dreaded trojan that seems to be able to spread with surprising ease were arrested.

Under a court order, which expires March 8, the Internet Systems Corporation has been operating replacement DNS (domain name servers) for the DNSChanger botnet. This was done to allow affected networks time to identify infected hosts, and avoid a sudden disruption of services to victim's.

Last week a federal judge postponed that order for the blackout of the surrogate servers for 120 days to give companies, businesses and governments more time to mitigate the threat.

A copy of the court order extending the deadline until July 9, 2012 is available on the following here.

What does the DNSChanger Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS servers from data centers in Estonia, New York, and Chicago. The malicious DNS servers would return malicious responses, altering user searches, and promoting fake and dangerous products.

Because every web search starts with DNS, the malware showed users an altered version of the Internet. Once it was discovered by the FBI, to allow businesses and private individuals affected by DNSChanger time to cleanse infected systems, they replaced the Trojan’s infrastructure with surrogate DNS servers.

By replacing the command-and-control (C&C) servers, the feds have prevented the worm from further propagation. The FBI took over the botnet’s C&C servers in November as part of Operation Ghost Click.

(click image to enlarge)

DNSChanger is able to change inside the infected system the DNS settings ans thus hijacking web traffic to unwanted and infected sites.

Despite the efforts by the press and the major law enforcement, the situation is far from reassuring, because too many PCs are infected and potentially impacted by the planned blackout.

More than 3 million PCs worldwide are still infected with DNSChanger, and  that is the main reason authorities decided to extend the period before the planned shutdown of the surrogate servers.

A special task force to provide support for private companies was established to provide the necessary instructions for the removal of malware, and can be accessed at the site DCWG.org


Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Information Security
malware FBI Network Security botnet trojan Courts Operation Ghost Click DNS Changer Pierluigi Paganini Command and Control
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked