Answer

Prepare your enterprise network for the DSN Changer botnet takedown

I heard that on July 9, 2012, A U.S. federal court will take offline all the remaining computers in the U.S. infected with DNS Changer botnet malware. As of late February, according to Internet Identity, 94 Fortune 500 companies and at least three government organizations had systems infected by DNS Changer. Does this mean if I have machines that are infected and don't know it, will some or all of my systems be taken down? What can I do to check for this malware?

    Requires Free Membership to View

The DNS Changer botnet malware is present across many different parts of the Internet, but the fact that large networks haven't taken action to remediate all of the systems is not a potential problem. There are other significant botnets for which we lack the visibility to measure the number of systems they infect. Many of the infected systems could be personal systems that are connected to isolated parts of enterprise networks, but the infected systems may not be isolated or even personal systems.

An enterprise could decide the risk involved with making changes to its DNS, network infrastructure or systems outweigh the risk from not remediating these systems. If there is minimal separation between network(s) with infected systems and the more secure networks, then it might be more important to mitigate the risk from this malware.

Ask the expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

While your organization, large networks and government agencies still may have infected systems, the expected July 9 government action is not going to take down your network. The DNS Changer botnet takedown might break DNS resolution for the infected systems, thus having the same effect as a NIC card going bad, but most systems on a network shouldn't be affected. So while some hands-on remediation may be required, frankly that is a better alternative than turning a blind eye to enterprise endpoints that may actually be zombies powering a botnet controlled by known criminals.

To identify these potentially infected systems before the takedown happens, monitor for outgoing DNS traffic to the DNS Changer servers. The DNS Changer Working Group provides comprehensive guidance on this malware, including information on how to identify, fix and protect an organization from it.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: