Malware Monday: Is Big Business Next?
About 12 percent of all Fortune 500 companies and four percent of major U.S. federal agencies are still infected with DNSChanger malware, facing the risk of going offline today.
Security group Internet Identity released an infographic last month detailing how DNSChanger has infiltrated Fortune 500 companies and major government organizations. Today, the FBI will follow a court order to take down the temporary servers that enable millions of computers and routers infected with DNSChanger to still reach their intended Internet destinations.
“DNSChanger is an insidious form of malware affecting everyone from the everyday consumer to a large chunk of the Fortune 500,” said IID CEO Lars Harvey. “By working together to pool collective intelligence on the latest security threats, enterprises can ensure DNS resolvers do not enable employees to visit Internet locations hosting malware like DNSChanger—protecting their customer confidence, revenue, intellectual property and much more. We look forward to working with enterprises to accomplish this.”
To illustrate just how pervasive and problematic DNSChanger has been since being discovered in late 2005, IID has designed the first infographic detailing this malware infection. In addition to a timeline of how DNSChanger has progressed and an illustration of the collective intelligence that has helped combat the malware, the infographic shows exactly how employees at Fortune 500 companies became infected and how the malware’s spread could have easily been stopped.
“By changing a computer’s DNS settings, malware author’s can control what websites a computer connects to on the Internet, and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website,” security vendor Symantec said. “To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address.”
Commenting on reports that computer users across the globe face internet ‘downtime’ on Monday 9th July because of malware infections, Stephen Bonner, a partner within KPMG’s Information protection and Business Resilience team, says: “The risk of downtime due to malware infections is nothing new and is potentially being over inflated, but old news should not be an excuse for inertia or complacency because the impact of security breaches cannot be underestimated.
“The diligence of the FBI means that for organisations with affected PCs it is relatively easy to find out which of their machines are at risk. Yet, with analysis suggesting that 1 in 10 Forbes 500 companies are still exposed to malware attacks, the onus must be on these organisations to take preventative measures.
“Rather than wait for disruption and the inevitable impact on business, organisations urgently need to focus their efforts on establishing an inventory of their PCs, test and protect them. That must be the short-term goals, but long-term they should establish pragmatic approaches towards ensuring systems are constantly updated. Anything less and Malware Monday could become a daily concern.”
IID’s ActiveTrust Resolver solution is being used by some of the world’s largest companies to stop their employees and systems from ever being able to connect with Internet locations loaded with malware like DNSChanger—fundamentally acting as a DNS firewall. ActiveTrust Resolver leverages collective intelligence on Internet security events to prevent these connections. IID amasses this real-time intelligence on the latest Internet security threats through a network of customers that includes five of the six largest banks in the U.S., the largest government agencies worldwide, and many of today’s leading financial services firms, e-commerce, social networking and ISP companies along with partnerships with hundreds of global law enforcement, security vendors, security researchers, and customers.
Because infected computers and routers will have no servers directing their DNS requests after July 9, the Internet may literally go dark for people using those computers or routers. Another effect of DNSChanger: if an enterprise’s employee has the malware on their computer even before the temporary servers go down, that enterprise is susceptible to having their proprietary information stolen. That’s because DNSChanger disables Anti-Virus (A/V) and regular software updates, exposing victims to attacks from other virus families. This enables criminals to view any data, messages exchanged and more on a victim’s computer, depending on what the victims’ machines are infected with.
By utilizing its ActiveKnowledge Signals system and data from other leading security and Internet infrastructure organizations, IID found at least 58 of all Fortune 500 companies and two out of 55 major government entities had at least one computer or router that was infected with DNSChanger. IID had found in January 2012 that half of all Fortune 500 companies and U.S. federal agencies were infected with DNSChanger.
Along with several other organizations and companies who have teamed up to combat DNSChanger by forming the DNS Changer Working Group, IID is offering to help identify the IP addresses of machines infected by DNSChanger on any enterprise’s network for free. All an enterprise needs to do is send IID their Classless Inter-Domain Routing (CIDR) blocks and IID will let them know if they’ve got an infection.