Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half of Fortune 500s, US Agencies Still Infected With DNSChanger Trojan

Posted by samzenpus on from the still-here dept.

tsu doh nimh writes "Two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities. Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web. The FBI is currently debating whether to extend the deadline or let it expire."

26 of 112 comments (clear)

  1. Just goes to show you by koan · · Score: 4, Insightful

    The only people in IT that know what they are doing are the "hackers".

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Just goes to show you by betterunixthanunix · · Score: 4, Insightful

      Unfortunately, proving that you are better than a company's security staff often involves committing a crime, which looks bad when you are applying for a job later in life. Not everyone can be an independent consultant like Kevin Mitnick.

      --
      Palm trees and 8
    2. Re:Just goes to show you by betterunixthanunix · · Score: 4, Insightful

      Wow how wrong you are, you simply say to the corporation "I'm a security consultant want to watch me get through your security?" they say "yes", you say "pay me" and then show then how insecure their network truly is.

      Right, because the company is not going to ask to see your credentials before they pay you to attack their system. How do you get your credentials as a security consultant in the first place? How does anyone know that your time is worth paying for?

      --
      Palm trees and 8
    3. Re:Just goes to show you by Chris+Mattern · · Score: 2

      Wow how wrong you are,they say "yes", you say "pay me" and then show then how insecure their network truly is.

      Wow, you have no conception of how corporation politics work, do you? You simply say to the corporation "I'm a security consultant want to watch me get through your security?" and they say, "If you attempt to hack our systems we will prosecute you to the fullest extent of the law."

    4. Re:Just goes to show you by Sir_Sri · · Score: 3, Insightful

      That's sort of the point. If they had any brains we wouldn't need to be telling the CEO not to have his password on a post it note on his monitor.

    5. Re:Just goes to show you by Runaway1956 · · Score: 2

      Uhhhhh - no. Laminated business cards? That's geek, not professional. Pros get those cool embossed stiff paper business cards. Laminated is just to protect a geek's card from Cheeto dust.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    6. Re:Just goes to show you by silverglade00 · · Score: 2

      If they had any brains, they would know that the CEO does not need access to individual customer's credit card numbers and only needs high level reporting data so getting his password off the monitor wouldn't reveal anything that isn't published on the company's press release page.

    7. Re:Just goes to show you by deek · · Score: 2

      The only people in IT that know what they are doing are the "hackers".

      Actually, if you think about it, the crackers have a much much easier time of it. They only have to find one security issue. The people in IT have to try and cover ALL security issues. Never mind the fact that it's impossible to cover all security issues, because IT staff don't always have access to source code, are not always expert programmers, and don't necessarily know the best security practices for all programming languages.

  2. Oh boo hoo by Anonymous Coward · · Score: 2, Insightful

    Maybe loss of service will finally motivate owners/managers to clean up the problem.

    1. Re:Oh boo hoo by WrongSizeGlass · · Score: 4, Insightful

      As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan's DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

      Maybe loss of service will finally motivate owners/managers to clean up the problem.

      You're right. The only way that most of these companies or government agencies will even realize that they are infected/affected will be when some of their PC's stop working properly.

    2. Re:Oh boo hoo by rrohbeck · · Score: 2

      Exactly. Just modify the DNS on the servers so that every entry goes to a server in fbi.gov that says "Your computer is infected and here's how to get rid of that."

      --
      thegodmovie.com - watch it
  3. Fuck'em by hannson · · Score: 4, Insightful

    Just shut it down, it forces them to deal with it.

    1. Re:Fuck'em by Antibozo · · Score: 4, Insightful

      They should have shut it down in the first place. It's wildly irresponsible and stupid for the FBI to have set up a replacement infrastructure.

      Presumably the hosts that are compromised had a vulnerability. Leaving a working infrastructure in place has masked the signal not only that DNSChanger was installed, but that there might be an unpatched vulnerability. If they'd shut it down, staff would have looked at the boxes and identified that there was malware installed, then cleaned up the boxes in the process and fixed their patching process. Who knows what additional malware may have been installed in the interim using the same or other unpatched vulnerabilities, because the FBI meddled?

      In addition, by taking the responsibility for maintaining a DNS infrastructure, they run the risk of contributing to another mass compromise if the replacement infrastructure is itself compromised or becomes the victim of a cache poisoning attack.

      Stupid, stupid, stupid.

  4. Cause is obvious by SlithyMagister · · Score: 5, Funny

    Half of all Fortune 500 Companies run Symantec Endpoint Protection as the AV "solution"

  5. Redirection? by mehrotra.akash · · Score: 4, Interesting

    After the deadline, for a few weeks, redirect all traffic from these machines to a page explaining the issue
    Or for some time before the deadline,randomly redirect some requests to a page explaining that the computer is infected and internet will not be usable from the deadline onwards.

  6. pathetic by Anonymous Coward · · Score: 3, Insightful

    You just know there are tons of unemployed admins who could easily sort this shit out but instead these companies hired some douchebag fratboy who flunked out of law school to run their networks...

    1. Re:pathetic by sgt+scrub · · Score: 4, Funny

      The guy in charge of hiring is the bosses son and he "knows the internet".

      --
      Having to work for a living is the root of all evil.
  7. Why, when you can shame 'em too? by Zocalo · · Score: 5, Insightful

    Just re-configure the surrogate DNS servers to return the same reply to every query and point all traffic towards an FBI server hosting a web page that explains what's happened and why they are seeing the web page they are. May as well make mention of the fact that the DoJ has apparently been sending out email notifications followed up with snail mail version of these infections to the designated WHOIS abuse/tech contacts for IP ranges showing infected hosts, just in case they hadn't already figured it out for themselves. I don't think it'll take too long before someone in senior management figures out what that implies and goes for a walk over to the IT department with a clue-by-four.

    --
    UNIX? They're not even circumcised! Savages!
    1. Re:Why, when you can shame 'em too? by dissy · · Score: 2

      The FBI is partnered up with GoDaddy, who historically they let handle these types of things.

      They can let GoDaddy host the page, and their network wouldn't even notice it next to the other billion and a half parked and expired domain auction pages.

      I'd be a little surprised of GoDaddy isn't who is currently providing the DNS infrastructure for what they are already doing anyway.

      A tiny text web page with no graphics could easily come in at under 2kb.
      Their servers support Z compression, so at least for all non-IE6 browsers the data transferred over the wire will be even less than that.

      Of course if the FBI is logging all the DNS lookups from infected computers, to add that data to their massive database-of-such-things, then perhaps they will renew the court order and keep silently redirecting people like they have been, to continue recording...

  8. Seriously? by sgt+scrub · · Score: 5, Insightful

    any computers still infected with DNSChanger may no longer be able to browse the Web

    There are over 250 IT departments that not only allow infected machines to remain on the network but allow users to continue to use them?!? The IT world has officially gone to shit. I'm going back to bed.

    --
    Having to work for a living is the root of all evil.
  9. IPv5 by Anonymous Coward · · Score: 3, Funny

    According to the explanation picture in TFA, the address for the contact page of fbi.gov is 987.654.321. Is that IPv5?

    1. Re:IPv5 by ColdWetDog · · Score: 4, Funny

      According to the explanation picture in TFA, the address for the contact page of fbi.gov is 987.654.321. Is that IPv5?

      That's their phone number, you idiot. The FBI doesn't use computers yet.

      --
      Faster! Faster! Faster would be better!
  10. Like playing Whack A Mole by djl4570 · · Score: 5, Interesting

    Back in the mid nineties I had to deal with clueless users installing various crapletts on their systems. Screen savers, animated icons, animated cursors and games mostly downloaded from BBS's, AOL, Prodigy, Delphi etc. As soon as you cleaned up one outbreak there was another. Of course upper management was silent on the matter of installing the crapletts. Here we are fifteen years later and it's the same song. I'm sure the IT departments want to clean this up but upper management isn't providing the necessary support.

  11. Re:Window only? by Nerdfest · · Score: 2

    I was poking around and found some tips for removing it from OS X machines, so I'm guessing it can affect those.

  12. If the just turn them off... by geekprime · · Score: 2

    If the just turn them off then the systems wit the problems will HAVE to be fixed, isn't that the idea?

    Perhaps instead of just turning them off when the time is up, start now by redirecting every request to a webpage explaining what is wrong and
    a link to a removal tool.

  13. Re:MSE? by ConceptJunkie · · Score: 2

    That's about 3 steps too many. That's why it doesn't happen.

    --
    You are in a maze of twisty little passages, all alike.