I heard that on July 9, 2012, A U.S. federal court will take offline all the remaining computers in the U.S. infected with DNS Changer botnet malware. As of late February, according to Internet Identity, 94 Fortune 500 companies and at least three government organizations had systems infected by DNS Changer. Does this mean if I have machines that are infected and don't know it, will some or all of my systems be taken down? What can I do to check for this malware?
The DNS Changer botnet malware is present across many different parts of the Internet, but the fact that large networks haven't taken action to remediate all of the systems is not a potential problem. There are other significant botnets for which we lack the visibility to measure the number of systems they infect. Many of the infected systems could be personal systems that are connected to isolated parts of enterprise networks, but the infected systems may not be isolated or even personal systems.
An enterprise could decide the risk involved with making changes to its DNS, network infrastructure or systems outweigh the risk from not remediating these systems. If there is minimal separation between network(s) with infected systems and the more secure networks, then it might be more important to mitigate the risk from this malware.
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
While your organization, large networks and government agencies still may have infected systems, the expected July 9 government action is not going to take down your network. The DNS Changer botnet takedown might break DNS resolution for the infected systems, thus having the same effect as a NIC card going bad, but most systems on a network shouldn't be affected. So while some hands-on remediation may be required, frankly that is a better alternative than turning a blind eye to enterprise endpoints that may actually be zombies powering a botnet controlled by known criminals.
To identify these potentially infected systems before the takedown happens, monitor for outgoing DNS traffic to the DNS Changer servers. The DNS Changer Working Group provides comprehensive guidance on this malware, including information on how to identify, fix and protect an organization from it.
This was first published in June 2012