12% of Fortune 500 Firms Under Threat of DNSChanger

Jay Decenella, IT audit expert
July 09, 2012 /

DNSChanger, a software developed by Estonian hackers, is threatening to shut out some 12 percent of Fortune 500 companies from the internet today, according to a security vendor.

“Hundreds of thousands of computer users are going to learn the hard way that failing to keep a clean machine comes with consequences,” says Brian Krebs on the systems infected with the DNSChanger Trojan, quoting statistics from Internet Identity (IID), which provides security services to organizations.

DNSChanger controls a user’s DNS, directing unsuspecting users to fraudulent sites or interfering with their online activities.

Security firm Symantec further explains: ” By changing a computer’s DNS settings, malware author’s can control what websites a computer connects to on the Internet, and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address.”

According to Websense, a security research group, the Trojan changes the DNS settings to IP addresses in the following IP ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The malware will take down infected servers, which would cause tremendous inconvenience to hundreds of thousands of users who will lose their internet connections.

“DNSChanger is an insidious form of malware affecting everyone from the everyday consumer to a large chunk of the Fortune 500,” said IID CEO Lars Harvey. “By working together to pool collective intelligence on the latest security threats, enterprises can ensure DNS resolvers do not enable employees to visit Internet locations hosting malware like DNSChanger—protecting their customer confidence, revenue, intellectual property and much more. We look forward to working with enterprises to accomplish this.”

In addition to the Fortune 500 companies, four percent of federal agencies also face the threat of getting disconnected from the internet.

The compromise here doesn’t only involve the hazard brought about by DNSChanger, but more painfully by the efforts of security experts to clean up infections. A court approval issued last year allows experts at Internet Systems Consortium (ISC) to take control of the infrastructure that powered DNSChanger. However, this is only a temporary solution, and ISC-operated servers will go offline on July 9, 2012, which will cause a “blackout” to computers still infected.

Krebs cited figures from DNSChanger Working Group, an industry consortium working to remove the malware, showing that more than 300,000 systems are still infected.

He added that the “number is likely conservative.”

Krebs explained: “The DCWG measures infections by Internet protocol (IP) addresses, not unique systems. Because many systems that are on the same local network often share the same IP address, the actual number of DNSChanger-infected machines is probably quite a bit higher than 300,000.”

Worse, the malware disables installed anti-virus, further exposing users to more threats.

Users can see if their systems are infected by DNSChanger by directing here.

DNSChanger emerged following an online advertising scam, operated by international hackers, that hijacked approximately 570,000 computers worldwide.

 

Share your opinion