Problem solve Get help with specific problems with your technologies, process and projects.

Prepare your enterprise network for the DSN Changer botnet takedown

Expert Nick Lewis details the DNS Changer botnet takedown and its impact on enterprise security. Learn how to search for DNS Changer on client machines.

I heard that on July 9, 2012, A U.S. federal court will take offline all the remaining computers in the U.S. infected with DNS Changer botnet malware. As of late February, according to Internet Identity, 94 Fortune 500 companies and at least three government organizations had systems infected by DNS Changer. Does this mean if I have machines that are infected and don't know it, will some or all of my systems be taken down? What can I do to check for this malware?

The DNS Changer botnet malware is present across many different parts of the Internet, but the fact that large networks haven't taken action to remediate all of the systems is not a potential problem. There are other significant botnets for which we lack the visibility to measure the number of systems they infect. Many of the infected systems could be personal systems that are connected to isolated parts of enterprise networks, but the infected systems may not be isolated or even personal systems.

An enterprise could decide the risk involved with making changes to its DNS, network infrastructure or systems outweigh the risk from not remediating these systems. If there is minimal separation between network(s) with infected systems and the more secure networks, then it might be more important to mitigate the risk from this malware.

Ask the expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

While your organization, large networks and government agencies still may have infected systems, the expected July 9 government action is not going to take down your network. The DNS Changer botnet takedown might break DNS resolution for the infected systems, thus having the same effect as a NIC card going bad, but most systems on a network shouldn't be affected. So while some hands-on remediation may be required, frankly that is a better alternative than turning a blind eye to enterprise endpoints that may actually be zombies powering a botnet controlled by known criminals.

To identify these potentially infected systems before the takedown happens, monitor for outgoing DNS traffic to the DNS Changer servers. The DNS Changer Working Group provides comprehensive guidance on this malware, including information on how to identify, fix and protect an organization from it.

This was last published in June 2012

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.