Machines Still Infected With DNSChanger Pose Dangers

When the FBI today shut down the temporary DNS servers keeping users infected with the DNSChanger Trojan online, only a tiny fraction of users still harbored the malware and some ISPs had established their own DNS backup servers for those stragglers.

All in all, the damage was minimal: just over 210,000 unique IP victims around the globe -- a far cry from the initial headcount of millions of victims hit by the nasty malware -- still remain infected with the malware, even after aggressive campaigns by many ISPs to alert users and offer them help to clean up their machines.

But the threat is far from over, security experts say.

Paul Vixie, chairman and founder of the Internet Security Consortium (ISC), which actually ran and managed the servers on behalf of the FBI operation, says by pulling the BandAid off slowly and keeping infected users from losing their DNS, ISPs are only masking the danger to victims. "The idea is to rip it [the BandAid] off" instead, he says.

Vixie says the temporary DNS provided by ISC via the FBI made sense and was successful, along with the awareness campaigns by ISPs. "We could measure that infections went down 50 percent" with the setup, Vixie says. "But at a certain point, you reach diminishing returns. Every one of those still-infected machines is a danger to its owner and to the rest of us. Given how easily targetable they are, I'm worried about the 210,000 still out there."

Other security experts worry as well. "The ISPs are essentially expanding the deadline on their own," says Dan Brown, director of security research at Bit9. But that's "also extending the period of infection," he says.

So is this weaning of infected users basically enabling victims and obscuring the real security lessons here? "Some of the more important security lessons were pushed under the rug. One thing that happens is when you find malware, it's often not the only malware on that system," so many of these machines contain other malware as well, Brown says.

And that's the case with DNSChanger, which security experts say was actually a secondary infection in many cases to the TDSS malware. "The primary malware was a botnet piece of TDSS that instructed the machine to download DNSChanger," Brown says.

July 9 was the final deadline for the temporary servers keeping infected users afloat on the Internet, and some major ISPs waged proactive campaigns to alert and offer cleanup options for their customers whose machines harbored the malware. The results were impressive: Internet Identity (IID) saw a 10- 20 percent decrease in the number of infected IP addresses in the past week.

The DNSChanger Working Group today provided its final count of the remaining infected IP addresses, and plans to offer a postmortem on the initiative.

[DNSChanger botnet takedown poses unique challenges and risks that other botnet overthrows do not. See Orphaned Bots Facing Internet Blackout.]

The FBI's "Operation Ghost Click" last year dismantled the scheme and indicted six Estonians and one Russian allegedly involved in infecting users and redirecting their computers to phony websites in a click-fraud scam. There were initially millions of infected machines, and the malware has been around for several years -- initially targeting home routers.

Comcast says it received a "miniscule" number of calls from infected users today, and that it initially had estimated that less than one-tenth of one percent of its customers would be affected, anyway. "For months, we have been emailing, mailing letters, sending in-browser notifications and even calling customers who we thought might be impacted and urged them to take action by visiting a dedicated website www.xfinity.com/dnsbot where they had two choices," a Comcast spokesman says. "They could either download a free security patch we provided via our Constant Guard Security Suite on their own or, if they’re not comfortable doing that, then they can call Xfinity Signature Support and for a fee have a professional help them."

Unlike some other ISPs, Comcast did not opt to provide a backup DNS service for infected machines, he says.

Meanwhile, another factor that may have lit a fire under some complacent victims was a "brownout" that occurred a couple of months ago of the temporary DNS servers established by the FBI, says Rod Rasmussen, president and CEO of IID, which worked with the DNSChanger Working Group. "That's when [some] people actually paid attention," Rasmussen says.

But like any other potent malware, DNSChanger is likely to be recycled and retooled, so this won't be the last of it.

Rasmussen says one complication is that older versions of Windows actually have fallback DNS settings, so if they don't get a response from the most recent one, they tap into older ones. "So they could remain online and not realize they're infected," he says.

Johannes Ullrich of the SANS Technology Institute, said in a post today that overall, only 0.1 percent of Internet users are infected with the Trojan, so most users have nothing to worry about: "In other words: Very few. People who have disregarded warning banners, phone calls from ISPs, AV warnings, and other notification attempts. They probably should be disconnected from the Internet," he wrote.

"The good news is that it was not the Armageddon that some had predicted. It's probably a good thing the ISPs helped Ma and Pa stay on the Net a little longer," Bit9's Brown says. "The message about endpoint security is the real issue is the underlying malware on your system and how did it get there. But if this malware ended up in your corporate environment even though it was intended for consumers, it says something about your security posture. Those messages got lost in the fray."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.