Half of all Fortune 500 companies and major US government agencies own computers infected with the "DNSChanger" malware that redirects users to fake websites and puts organisations at risk of information theft, a security company warned yesterday.
DNSChanger, which at its peak was installed on more than four million Windows PCs and Macs worldwide - a quarter of them in the US alone - was the target of a major takedown organised by the US Department of Justice last November.
The takedown and accompanying arrests of six Estonian men, dubbed "Operation Ghost Click," was the culmination of a two-year investigation, although some security researchers have been tracking the botnet since 2006. As part of the operation, the FBI seized control of more than 100 command-and-control (C&C) servers hosted at US data centres.
According to Tacoma, a Washington-based Internet Identity (IID, which provides security services to enterprises, half of the firms in the Fortune 500, and a similar percentage of major US government agencies, harbour one or more computers infected with DNSChanger.
IID used telemetry from its monitoring of client networks, as well as third-party data, to claim that at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNSChanger as of early this year.
The still-infected machines pose several problems, said experts.
"Initially, DNSChanger was worrisome because it could redirect you from a safe location to a dangerous one controlled by criminals," said Rod Rasmussen, the chief technology officer of IID. "However, the FBI temporarily fixed that. Now, the big worry is that machines that are still infected face a second vulnerability - they are left with little if any security."
That's because DNSChanger also blocks software updates - the patches vendors like Microsoft issue to fix flaws - and disables installed security software.
Others, however, have pointed out that computers still infected with DNSChanger have only weeks before they will be crippled.
As part of Operation Ghost Click, a federal judge approved a plan where clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open source software. Without that move, infected systems would have been immediately cut off from the internet when the FBI seized the criminals' domain servers.
But the ISC was authorised to maintain the alternate DNS servers only for 120 days, or until early next month.
"The ISC will shut down the DNS servers in March and anybody who is still using those servers will then lose access to the Internet," said Wolfgang Kandek, chief technology officer of Qualys.
Qualys has added DNSChanger detection to its free BrowserCheck tool that runs on Windows PCs, while the umbrella organization DNSChanger Working Group - of which IID is a member - has created a website that steps users through the process of detecting and infected PCs and Macs.