I heard that on July 9, 2012, A U.S. federal court will take offline all the remaining computers in the U.S. infected...
with DNS Changer botnet malware. As of late February, according to Internet Identity, 94 Fortune 500 companies and at least three government organizations had systems infected by DNS Changer. Does this mean if I have machines that are infected and don't know it, will some or all of my systems be taken down? What can I do to check for this malware?
The DNS Changer botnet malware is present across many different parts of the Internet, but the fact that large networks haven't taken action to remediate all of the systems is not a potential problem. There are other significant botnets for which we lack the visibility to measure the number of systems they infect. Many of the infected systems could be personal systems that are connected to isolated parts of enterprise networks, but the infected systems may not be isolated or even personal systems.
An enterprise could decide the risk involved with making changes to its DNS, network infrastructure or systems outweigh the risk from not remediating these systems. If there is minimal separation between network(s) with infected systems and the more secure networks, then it might be more important to mitigate the risk from this malware.
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
While your organization, large networks and government agencies still may have infected systems, the expected July 9 government action is not going to take down your network. The DNS Changer botnet takedown might break DNS resolution for the infected systems, thus having the same effect as a NIC card going bad, but most systems on a network shouldn't be affected. So while some hands-on remediation may be required, frankly that is a better alternative than turning a blind eye to enterprise endpoints that may actually be zombies powering a botnet controlled by known criminals.
To identify these potentially infected systems before the takedown happens, monitor for outgoing DNS traffic to the DNS Changer servers. The DNS Changer Working Group provides comprehensive guidance on this malware, including information on how to identify, fix and protect an organization from it.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.