Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of Fortune 500s, US Agencies Still Infected With DNSChanger Trojan

Posted by samzenpus on from the still-here dept.

tsu doh nimh writes "Two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities. Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web. The FBI is currently debating whether to extend the deadline or let it expire."

11 of 112 comments (clear)

  1. Just goes to show you by koan · · Score: 4, Insightful

    The only people in IT that know what they are doing are the "hackers".

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Just goes to show you by betterunixthanunix · · Score: 4, Insightful

      Unfortunately, proving that you are better than a company's security staff often involves committing a crime, which looks bad when you are applying for a job later in life. Not everyone can be an independent consultant like Kevin Mitnick.

      --
      Palm trees and 8
    2. Re:Just goes to show you by betterunixthanunix · · Score: 4, Insightful

      Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

      Right, because the company is not going to ask to see your credentials before they pay you to attack their system. How do you get your credentials as a security consultant in the first place? How does anyone know that your time is worth paying for?

      --
      Palm trees and 8
    3. Re:Just goes to show you by Sir_Sri · · Score: 3, Insightful

      That's sort of the point. If they had any brains we wouldn't need to be telling the CEO not to have his password on a post it note on his monitor.

  2. Oh boo hoo by Anonymous Coward · · Score: 2, Insightful

    Maybe loss of service will finally motivate owners/managers to clean up the problem.

    1. Re:Oh boo hoo by WrongSizeGlass · · Score: 4, Insightful

      As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

      Maybe loss of service will finally motivate owners/managers to clean up the problem.

      You're right. The only way that most of these companies or government agencies will even realize that they are infected/affected will be when some of their PC's stop working properly.

  3. Fuck'em by hannson · · Score: 4, Insightful

    Just shut it down, it forces them to deal with it.

    1. Re:Fuck'em by Antibozo · · Score: 4, Insightful

      They should have shut it down in the first place. It's wildly irresponsible and stupid for the FBI to have set up a replacement infrastructure.

      Presumably the hosts that are compromised had a vulnerability. Leaving a working infrastructure in place has masked the signal not only that DNSChanger was installed, but that there might be an unpatched vulnerability. If they'd shut it down, staff would have looked at the boxes and identified that there was malware installed, then cleaned up the boxes in the process and fixed their patching process. Who knows what additional malware may have been installed in the interim using the same or other unpatched vulnerabilities, because the FBI meddled?

      In addition, by taking the responsibility for maintaining a DNS infrastructure, they run the risk of contributing to another mass compromise if the replacement infrastructure is itself compromised or becomes the victim of a cache poisoning attack.

      Stupid, stupid, stupid.

  4. pathetic by Anonymous Coward · · Score: 3, Insightful

    You just know there are tons of unemployed admins who could easily sort this shit out but instead these companies hired some douchebag fratboy who flunked out of law school to run their networks...

  5. Why, when you can shame 'em too? by Zocalo · · Score: 5, Insightful

    Just re-configure the surrogate DNS servers to return the same reply to every query and point all traffic towards an FBI server hosting a web page that explains what's happened and why they are seeing the web page they are. May as well make mention of the fact that the DoJ has apparently been sending out email notifications followed up with snail mail version of these infections to the designated WHOIS abuse/tech contacts for IP ranges showing infected hosts, just in case they hadn't already figured it out for themselves. I don't think it'll take too long before someone in senior management figures out what that implies and goes for a walk over to the IT department with a clue-by-four.

    --
    UNIX? They're not even circumcised! Savages!
  6. Seriously? by sgt+scrub · · Score: 5, Insightful

    any computers still infected with DNSChanger may no longer be able to browse the Web

    There are over 250 IT departments that not only allow infected machines to remain on the network but allow users to continue to use them?!? The IT world has officially gone to shit. I'm going back to bed.

    --
    Having to work for a living is the root of all evil.