Companies and home users whose computers or routers are infected by the DNSChanger Trojan risk being unable to access the Web come March 8, 2012, when the FBI unplugs the legitimate DNS servers it set up to replace the rogue DNS servers that were forwarding victims to malicious sites. The removal of the fed's band aid could impact a substantial number of users, too, as half of Fortune 500 companies and government agencies are infected with the malware, according to a new report.
Back in November, the feds famously took down the DNSChanger botnet network, which a cyber criminal gang was using to redirect Internet traffic to phony websites that existed simply to serve up ads. To prevent the disruption of Internet traffic - and likely to monitor where DNSChanger traffic was coming from - the feds replaced the criminals' servers with clean ones that would push along traffic to its intended destination. Without the surrogate servers in place, infected PCs would have continued trying to send requests to aimed at the now-unplugged rogue servers, resulting in DNS errors.
That surrogate network was supposed to be temporary -- in operation just long enough for companies and home users to remove DNSChanger malware from their machines. Said network is slated to be unplugged on March 8. Once the surrogate server network is unplugged, computers infected with DNSChanger will not be able to access the Internet: The malware will send requests to servers that will no longer be online.
Unfortunately, the cleanup process has been slow, according to security company IID (Internet Identity): The company reports that at least 250 of Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012.
Companies and users may get a reprise. According to Krebs on Security, the FBI's DNSChanger Working Group is weighing its options, including requesting a court order to extend the March 8 deadline.
Would providing an extension be the most prudent move, though?
It potentially reduces the disruption and chaos that would ensue if so many organizations and users abruptly found themselves cut off from the Web. But companies and users need to take advantage of the extension to clean their systems, and history suggests that won't be the case. The Conficker worm is still infecting millions of machines, despite the fact that FBI has been actively trying to clean up that malware mess since 2009, Krebs on Security notes.
Another drawback to an extension is the longer the delay, the longer machines remain infected. The DNSChanger malware still poses a risk, even if it's not rerouting traffic, because the Trojan disables a machine's ability to get software updates. That means some systems infected with DNSChanger haven't gotten any critical patches in months, making them prime targets for malicious hackers.
This fact does raise the question of why so many Fortune 500 companies and government agencies have failed to notice they have a problem, as they presumably have IT security professionals on staff who should be monitoring such incidents.
Another drawback: Keeping the surrogate network humming requires tax dollars and government resources that could be better spent elsewhere.
Given the uncertainty of what the feds will decide, organizations and home users alike would be well served to tackle the problem now, whether than playing the ever-risky waiting game. Organizations can determine if they're systems are infected with DNSChanger by contacting the DNS Changer Working Group. Home users can check out the DCWG website for step-by-step instructions to determine if their systems are infected.
This story, "Security slackers risk Internet blackout on March 8," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.