Vulnerability Management

Deadline looms to remove click-fraud malware

Half of the Fortune 500 companies and more than two dozen federal agencies are at risk of losing internet connectivity next month when legitimate DNS servers that temporarily were replacing rogue servers go offline.

That warning was sounded by Tacoma, Wash.-based Internet Identity (IID), a data security company that provides a free service to help companies find and eradicate the DNSChanger malware. Although the purpose of DNSChanger was primarily to hijack searches to display advertisements of the attacker's choosing, many corporate, government and other entities were infected, Lars Harvey, CEO of IID, told SCMagazine.com.

Temporary DNS servers that replaced infected DNS servers brought down by the FBI and Estonian police, after a November raid dubbed Operation Ghost Click, are due to be taken offline March 8. The servers are currently being managed by the Internet Systems Consortium (ISC) under a court order.

Unless the court determines that the servers should be kept online past deadline, they could be turned off, potentially severing internet access to thousands of users.

Harvey said he is trying to raise awareness to this possibility because the amount of traffic going through clean servers administered by the ISC has not changed significantly since the November 2011 raid, indicating that many users have yet to fix the DNS server settings on their computers.

Harvey said that while the most likely consequence is losing web connectivity, compromised machines also could open themselves up to malware, such as rootkits. He said there are some 4.5 million systems infected with the malware that are still accessing the temporary servers.

Based on the IP addresses of systems connecting to the temporary servers at ISC, Harvey said half of Fortune 500 companies and some 27 “major” federal agencies are among those still infected with the malware.

“It might be just one system or it might be one hundred," he said. "It's impossible to say."

Kevin Beaver, an Atlanta-based security consultant, said organizations need to take action now.

“Cleaning up malware at this level can be like trying to remove cancer that has metastasized," he said. "It's been my experience that businesses need to bite the bullet and spend the money on technical experts and advanced malware technologies … that can help you find the infection and eliminate it. If you don't do it properly, you'll be fighting this issue indefinitely.”

The FBI has identified the IP addresses of the rouge DNS Servers shortly after shutting down the systems. The bureau recommends that users check the DNS Server settings on their systems to see if the IP addresses match. If so, the settings need to be changed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds