DNSChanger threat isn't over yet: security experts

In spite of the Federal Bureau of Investigation shutting down servers associated with the DNSChanger virus on July 9, about 210,000 unique IPs are still said to be infected. After the shutdown, it was reported that only a tiny fraction of users are still infected by the malware and some ISPs have established their own DNS backup servers for the stragglers. The current number of affected IPs is quite less compared to the initial four million infections, but security experts believe that DNSChanger still poses a threat.

DNSChanger threat far from over...(Image credit: Getty Images)

Paul Vixie, Chairman and Founder of the Internet Security Consortium (which ran and managed the servers on behalf of the FBI operation), said that by slowly pulling off the BandAid and keeping infected users from losing their DNS, ISPs are only masking the danger. The idea is to rip it [the BandAid] off instead. He added, "We could measure that infections went down 50 percent with the setup. But at a certain point, you reach diminishing returns. Every one of those still-infected machines is a danger to its owner and to the rest of us. Given how easily targetable they are, I'm worried about the 210,000 still out there."

"The ISPs are essentially expanding the deadline on their own. But that's also extending the period of infection," said Dan Brown, Director of Security Research at Bit9. Security experts say DNSChanger was actually a secondary infection, in many cases, to the TDSS malware. "The primary malware was a botnet piece of TDSS that instructed the machine to download DNSChanger. Some of the more important security lessons were pushed under the rug. One thing that happens is, when you find malware, it's often not the only malware on that system," added Brown.

DNSChanger is a computer programme that redirects Internet traffic from infected computers to fake websites. A McAfee spokesperson earlier revealed that according to the data provided by DNSChanger Working Group, India has the third-highest number of DNS infections after the United States and Italy. The data by DNSChanger Working Group (DCWG) also revealed that there were a maximum of over 69,500 infected PCs in the U.S. In Italy, there were about 26,500 infected systems, which takes the second place, followed by India and the UK. The UK was estimated to have about 19,589 infected PCs.

As a part of ‘Operation Ghost Click’, FBI took control of the servers used by the cyber criminals last year. Subsequently, the FBI replaced the rogue servers with temporary legitimate servers so that the Internet activities of those with infected PCs would not be disrupted. These servers were finally shut on July 9, 2012. McAfee has released a free tool to assist consumers whose machines have been infected by the DNSChanger trojan.