A federal judge approved the U.S. Government’s request to continue to run clean DNS servers for DNS Changer -infected victims by 120 days. The U.S. Government was initially granted a request to permit a private company to replace the rogue DNS servers with normal DNS servers. This previous decision also stated that the replacement servers must halt its operation by March 8, 2012. But with this decision, these servers have 4 more months to operate. This extension is supposed to give affected entities more time to clean their computers. This development came days after an Estonian County Court approved the extradition of four more individuals involved in Esthost operations, a subsidiary of the company Rove Digital. All six suspects who were arrested in November last year can now be extradited to the U.S. upon approval of the Estonian government.
The Esthost takedown last year was considered a triumph for the online security industry. Dubbed “Operation Ghost Click”, this collaboration among the FBI, NASA, Estonian Police, Trend Micro, and other industry partners resulted to the halting of almost 4,000,000 bots. The DNS Changer botnet was estimated to have affected millions of users and businesses. For more information on the Esthost takedown, the “largest cybercriminal takedown in history”, please refer to our previous blog posts:
Extension Means More Recovery Period for Affected Users
This extension was granted in light of new information that March 8 deadline proved to be insufficient for affected parties. A report released last month indicates that 3 million systems worldwide are still infected. The roster of victims also include 50 percent of Fortune 500 companies and almost half of all US government agencies. The US government argued that terminating the replacement servers on the previously set date will only disrupt the operations of affected businesses, corporations, and individuals.
Before the takeover, DNS Changer Trojans were found to modify settings to use DNS servers setup by malicious third parties. This modification resulted to the hijacking victims’ search results eventually leading them to malware-hosting sites and adware among other threats. The malware also prevented users from visiting security sites that might help combat this infection. This means that DNS Changer victims were exposed to malware threats for a long time.
By terminating the replacement servers now, while concerned parties are still struggling with the infection, will only result to users being cut off of their access to the Internet. Trend Micro senior threat researcher Feike Hacquebord believes that it may take some time to completely recover from the effects of the DNSChanger, “Rove Digital has been spreading DNS Changer Trojans and other malware for many years. It is not an easy task to clean up the big mess caused by malware infection campaigns spanning more than 5 years.” But Hacquebord is hopeful that this reprieve can bring more positive results, the “DNSChanger Working Group (DCWG) is working hard to help Internet service providers with informing victims and assisting them with computer clean-ups. We are hopeful that in the coming months, the number of infections will go down significantly.”
The decision to extend the deadline underscores the scope and the damages created by the Esthost operation/ Rove Digital. For the meantime, users can check if their systems are infected or not by validating their IP addresses using “eye check” sites. DCWG also provides helpful tips on how users can verify if they are affected by this botnet.