IID Reports Downturn In Fortune 500 And Major U.S. Government Agencies Infected With DNSChanger Malware

Deadline for temporary FBI fix propping up Internet extended, but thousands of computers and routers with DNSChanger still being exposed to dangerous computer viruses

March 7, 2012

5 Min Read


TACOMA, Wash. – March 5, 2012 – IID (Internet Identity), a provider of technology and services that help organizations secure their Internet presence, today announced that it has seen a dramatic decrease in Fortune 500 companies and what it considers “major” U.S. federal agencies that are infected with DNSChanger malicious software (malware). By utilizing its ActiveKnowledge Signals system and data from other leading security and Internet infrastructure organizations, IID found at least 94 of all Fortune 500 companies and three out of 55 major government entities had at least one computer or router that was infected with DNSChanger as of February 23, 2012. IID had reported earlier this year that half of all Fortune 500 companies and U.S. federal agencies are infected with DNSChanger.

The findings come the same day that a federal judge extended the March 8 deadline that required the FBI to take down its temporary servers that enabled millions of computers and routers infected with DNSChanger to reach their intended Internet destination. The FBI has received this extension to the lifetime of the temporary servers to July 9, 2012. Because infected computers and routers will have no servers directing their DNS requests after July 9, the Internet may literally go dark for people using those computers or routers.

“People have had months to get DNSChanger off their machines and despite the dramatic downturn in infected machines at the Fortune 500 and government agencies, all indications are that thousands of computers and routers are still infected,” said IID president and CTO Rod Rasmussen. “Even though people will still be able to reach their intended Internet destination for the time being with this extension, the infected computers and routers are at high risk of getting hit by another virus due to the insidious nature of DNSChanger.”

Another effect of DNSChanger is if an enterprise’s employee has the malware on their computer, it means that enterprise is susceptible to having their proprietary information stolen. That’s because DNSChanger disables Anti-Virus (A/V) and regular software updates, exposing victims to attacks from other virus families. This enables criminals to view any data, messages exchanged and more on a victim’s computer, depending on what the victims’ machines are infected with.

The malware that DNSChanger is based on is particularly insidious, requiring extensive and careful work to completely remove from an infected computer. This has proven quite challenging for the ISP community to deal with, as the typical A/V packages that they may provide to their user bases usually cannot accomplish removal of DNSChanger malware. Enterprises and government agencies usually have direct control and access to their users’ machines, making it relatively easier (though still challenging) to clean them up. Most of the machines that will lose their ability to resolve DNS on July 9th are likely to be found on consumer ISP networks. So if this extension doesn’t help ISPs get ahead of this issue, it will make July 9th a very busy day at many ISP help desks around the country and the world.

DNSChanger malware actively changes the infected system's domain name system (DNS) resolution settings to use rogue servers that redirect legitimate searches and URLs to malicious websites that attempt to steal personal information and generate illegitimate ad revenue for a network of cybercriminals. In November 2011, the FBI—working in concert with NASA, the Estonian police, and several private sector firms and security researchers—put a major dent in the DNSChanger operation with Operation Ghost Click. This operation culminated with the arrest of six Estonian nationals who are accused of manipulating millions of infected computers via DNSChanger. Along with the arrests, a number of computer systems were seized that the FBI says were being used as rogue DNS servers. But instead of just being shut down, the FBI in conjunction with industry partners, temporarily replaced them with legitimate servers.

IID Joins Industry Allies to Lend a Helping Hand Along with several other organizations and companies who have teamed up to combat DNSChanger by forming the DNS Changer Working Group, IID is offering to help identify the IP addresses of machines infected by DNSChanger on any enterprise’s network for free. All an enterprise needs to do is send IID their Classless Inter-Domain Routing (CIDR) blocks and IID will let them know if they've got an infection. IID can identify malware infestations like DNSChanger with its ActiveKnowledge Signals service, which externally detects and diagnoses malicious or potentially dangerous activities occurring on an enterprise’s network via the indicators these activities give off when communicating on the Internet. It does this by correlating intelligence gathered directly and via a wide network of security industry partners. ActiveKnowledge Signals provides enterprises with timely, actionable alerts about threatening or potentially dangerous activities occurring on internal, external and partner networks

To see if DNSChanger is on your network, you can take advantage of free information from one of several organizations contributing to the effort to clean up infected machines before time runs out. An up-to-date list of organizations you can contact to get this information can be found at the DNS Changer Working Group website: http://dcwg.org/cleanup.html. If you run an enterprise network, you can also contact IID directly by going to http://www.internetidentity.com/contact-us.

About IID

IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently introduced a number of unique approaches to secure organizations’ use of Internet infrastructure with ActiveTrust® BGP, ActiveTrust DNS, and ActiveTrust Resolver with TrapTrace. IID also provides anti-phishing, malicious software (malware) and brand security solutions for five of the top six banks in the U.S., many of today’s leading financial services firms, e-commerce, social networking and ISP companies, and more. Through its extensive data, and deep relationships with law enforcement, service providers and security experts around the world, IID delivers unrivaled ways to keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at www.internetidentity.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights