Half of Fortune 500s, US Agencies Still Infected With DNSChanger Trojan

tsu doh nimh writes "Two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities. Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web. The FBI is currently debating whether to extend the deadline or let it expire."

Just goes to show you

[koan]

The only people in IT that know what they are doing are the "hackers".

Oh boo hoo

[Anonymous Coward]

Maybe loss of service will finally motivate owners/managers to clean up the problem.

Fuck'em

[hannson]

Just shut it down, it forces them to deal with it.

Re:Just goes to show you

[betterunixthanunix]

Unfortunately, proving that you are better than a company's security staff often involves committing a crime, which looks bad when you are applying for a job later in life. Not everyone can be an independent consultant like Kevin Mitnick.

pathetic

[Anonymous Coward]

You just know there are tons of unemployed admins who could easily sort this shit out but instead these companies hired some douchebag fratboy who flunked out of law school to run their networks...

Re:Oh boo hoo

[WrongSizeGlass]

As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Maybe loss of service will finally motivate owners/managers to clean up the problem.

You're right. The only way that most of these companies or government agencies will even realize that they are infected/affected will be when some of their PC's stop working properly.

Why, when you can shame 'em too?

[Zocalo]

Just re-configure the surrogate DNS servers to return the same reply to every query and point all traffic towards an FBI server hosting a web page that explains what's happened and why they are seeing the web page they are. May as well make mention of the fact that the DoJ has apparently been sending out email notifications followed up with snail mail version of these infections to the designated WHOIS abuse/tech contacts for IP ranges showing infected hosts, just in case they hadn't already figured it out for themselves. I don't think it'll take too long before someone in senior management figures out what that implies and goes for a walk over to the IT department with a clue-by-four.

Seriously?

[sgt scrub]

any computers still infected with DNSChanger may no longer be able to browse the Web

There are over 250 IT departments that not only allow infected machines to remain on the network but allow users to continue to use them?!? The IT world has officially gone to shit. I'm going back to bed.

Re:Just goes to show you

[betterunixthanunix]

Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

Right, because the company is not going to ask to see your credentials before they pay you to attack their system. How do you get your credentials as a security consultant in the first place? How does anyone know that your time is worth paying for?

Re:Just goes to show you

[Sir_Sri]

That's sort of the point. If they had any brains we wouldn't need to be telling the CEO not to have his password on a post it note on his monitor.

Re:Fuck'em

[Antibozo]

They should have shut it down in the first place. It's wildly irresponsible and stupid for the FBI to have set up a replacement infrastructure.

Presumably the hosts that are compromised had a vulnerability. Leaving a working infrastructure in place has masked the signal not only that DNSChanger was installed, but that there might be an unpatched vulnerability. If they'd shut it down, staff would have looked at the boxes and identified that there was malware installed, then cleaned up the boxes in the process and fixed their patching process. Who knows what additional malware may have been installed in the interim using the same or other unpatched vulnerabilities, because the FBI meddled?

In addition, by taking the responsibility for maintaining a DNS infrastructure, they run the risk of contributing to another mass compromise if the replacement infrastructure is itself compromised or becomes the victim of a cache poisoning attack.

Stupid, stupid, stupid.